SystemsSec 2016W Lecture 16
Paper: Network Firewalls
The Security of Networked Computers
- The security of networked computers rests on a good system admin, reliable vendor software, and an educated user community.
- Three points to consider on the security of networked computers:
- There are many points to defend on a networked computer: the mailer, the networked file system, the database servers, and even just the login prompt. These all must be secured.
- There are many points of attack, because the computer is networked (internet) it can be attacked remotely.
- Not all machines can be as secure as the system admin would like. Some users may connect to the network with weakly secured machines that compromise the network (mobile phone).
- A firewall is one answer to these three points. Disconnection from the network entirely is another.
- It is up to the individual on which solution they choose. They must balance the cost of system failure with the benefits provided by a network. Usually the benefits outweigh the costs.
- Because programs represent potential security holes due to bugs, the amount of programs running on machines should be minimal to limit potential points of attack. Any programs not in use should be disabled.
The Definition of a Firewall
- A firewall can be defined as a collection of components placed between two networks that collectively have the following properties:
- All traffic from inside to outside, and vice-versa, must pass through the firewall.
- Only authorized traffic, as defined by the local security policy, will be allowed to pass.
- The firewall itself is immune to penetration.
- Failure in one of these properties simply means the firewall is a bad one.
On Gateways
- A gateway is a dedicated machine that runs a firewall.
- Using a gateway machine for a firewall gives certain benefits. Other computers on the network should not trust the gateway automatically. This means that if the gateway containing the firewall falls, no other machine falls automatically.
- A firewall usually has two filters to block transmissions of a certain type. The outside filter can be used to protect the gateway from attack, while the inside filter can be used to guard against the consequences of a compromised outside filter.
Firewalls: Packet Filtering, Circuit Gateways, Application Gateways
- Firewalls are classified into three main categories: packet filtering, circuit gateways, and application gateways.
- Packet filtering gateways drop packets based on either their source, their destination, or their service (port number).
- Circuit gateways are relays that allow a machine to connect to its TCP port to communicate with some destination on the other side of the gateway.
- Application gateways are like packet filtering gateways but are specific to a single app and so have the benefit of targeting the specific flaws in each app.
- Packet filtering gateways can have problems with FTP, DNS. Due to the connectionless protocol of UDP, it cannot work with it.
- Setting port rules on a packet filtering gateway leaves no room for error.
- Application gateways require the use of specialized user interfaces for services provided.
- This has the downside that mostly popular services will support the use of application gateways, while newer lesser known services might not. This makes it hard to adopt newer technologies.
- Circuit gateways offer detailed control over the flow of information between two points.
- For example, connection to a circuit gateway can control who gets access to the printer in the boss' office. Certain machines can be disallowed connection to use the printer in the boss' office.
- It is often a combined use of all these types of firewalls that provides the best security.
On Tunneling
- One of the most dangerous methods of bypassing a firewall is the use of tunnels. A tunnel is the encapsulation of a message from one protocol to another, the second protocol is used to traverse the network, and finally at the destination of the message the second protocol is stripped and the original message is read as intended.
- If users are given the ability to send packets, and therefore to create tunnels from inside to an outside source, then they can bypass the firewall and send any message they want.
- Solution? The process of making a tunnel means that the user computer must bypass the dedicated gateway; to do so it must be known to the external router. The external router should only know the dedicated gateway, not the user computer, so if an application or circuit gateway is being used this can easily be detected. The user computer in violation of network security can be identified, and the individual at fault can be handled (it becomes an issue of management).
- Consider that firewalls are especially useful for keeping potential attackers out when they are attacking from outside. They are not all that good at keeping those "out" who are already "in" (the building). This means employees that do not respect security of the network are not necessarily the responsibility of the firewall (out of its scope of defense). Again, this is an issue of internal management.