Perimeter Security

CS498IA Spring 2007

Reading
Ch. 25 (Intrusion Detection) Ch. 26 (Network Security) Optional: Firewalls and Internet Security, Cheswick, Bellovin, Rubin
The text about network security

Network Security Approaches

Secure Network Protocols Secure Networked Computer Perimeter Security

Perimeter Defense
Perimeter

Internet

Intranet

Perimeter Defense Strategy

Divide networks into zones of varying trust
Simplest division: intranet (trusted) and Internet (untrusted)

Put security measures on boundaries between zones

choke points E.g. connection to ISP

Perimeter Defense Advantages

Scale Can configure one computer to be secure, but how about 1,000? Threat model
Most threats come from less trusted zones

Convenience
Can use less secure protocols and software inside perimeter Dont bother users with security protections unless they talk to the outside

Firewalls
Filter traffic going across perimeter boundary Various levels of sophistication
Firewall Internet

Intranet

Packet Filter
Filter IP packets based on their headers Fields may include:
IP address (source & destination) TCP/UDP ports (source & destination) Flags Options

Stateless & fast

Implementation is based on lookup of header bits/bytes and decisions

Example Rules
allow proto=TCP AND port=80 deny proto=UDP AND port=1434 deny sourceIP=127.0.0.1 allow proto=TCP AND port=22 AND sourceIP=adminConsole

Example Policy
Firewall

Internet

Intranet

Outbound traffic only

allow proto=TCP AND (sourceIP=inside OR ACK=true)

What might be some issues with this policy?

More complicated network

Need to allow services Firewall from within the Intranet Option 1: punch a hole Internet
allow port=25 AND destIP=mailserver

Intranet Web Server

Option 2: DMZ

Mail Server
Desktop Desktop Desktop

DNS Server

Demilitarized Zone
Firewall Intranet

Internet

Intranet Web Server

Desktop Desktop Desktop Mail Server Public Web Server DNS Server

DMZ

DMZ principles
Restrict access
from Internet to the DMZ to protect servers from DMZ to intranet to protect against compromises

E.g.
Allow connections from Internet to mail server on port 25 (SMTP) Allow connections from intranet to mail server on port 993 (secure IMAP)

Policies
Firewall policies typically lists of allow or deny rules What should the default rule be? Default allow:
convenient since doesnt interfere with legitimate activity

Default deny:
more secure, since every allowed use undergoes security review if policy too restrictive, people complain and it gets fixed if policy too permissive, only learn about it after an attack -too late!

Other policy issues

Scale
Large organizations have thousands of rules How do you process them efficiently? How do you know they are correct?

Ingress vs. egress filtering

Ingress: filter packets from the Internet Egress: filter traffic to the Internet (why?)

Packet Filter Limitation

Packet fragmentation
IP allows packets to be split into several fragments

No connection semantics
Actions only on individual packets

No application semantics
Only indication of application protocol is port number Modern applications abuse this fact

Higher-level analysis
Packet filters cannot:
Forbid a particular URL Detect email viruses Block (malicious) ActiveX plugins

Alternate approaches:
Stateful firewall: reconstruct connections Application-level proxy: transform connections

Stateful Firewall
Reconstruct connection state Make decisions based on flows, not on packets Some application protocol parsing may also be done
GET su /foo.html root

flow1 GET /foo.html ...

flow2 su root

Application-Level Proxy
Process incoming packets at application layer Generate transformed message stream
Block dangerous messages Normalize protocol semantics

GET /foo.html HTTP/1.0 Evil-option: yes

Proxy

GET /foo.html HTTP/1.1 Evil-option: no

Trade-offs
Pro: Higher precision Con: Higher costs
Scalability: keep state for all connections for 1000s of computers Latency: proxy adds processing delays Flexibility: proxy needs to understand everything you do with a protocol

Network Address Translation

rest of Internet local network (e.g., home network) 10.0.0/24
10.0.0.4 138.76.29.7 10.0.0.3

10.0.0.1

10.0.0.2

All datagrams leaving local network have same single source NAT IP address: 138.76.29.7, different source port numbers

Datagrams with source or destination in this network have 10.0.0/24 address for source, destination (as usual)

NAT & security

NAT originally designed to address IP scarcity
A user (e.g. DSL subscriber) pays for one or a few IP addresses for many computers

Side benefit: simple firewall

External ports allocated when internal host initiates connection External connection attempts are impossible

Modern NATs more sophisticated

Allow some external connections to exist Support for dynamic port allocation for P2P, UDP applications Limited firewall semantics

Network Intrusion Detection

NIDS

Internet

Intranet

Passive traffic interception

Send copy of traffic to NIDS Do not block normal path

Better performance / worse security

NIDS vs. Firewalls

Actions:
Firewalls: block or allow NIDS: alert administrator, log, block (intrusion prevention system)

Policies:
Firewalls: ACL-style policy on (packet) attributes NIDS: attack signatures, statistical anomalies

NIDS challenges:
Evasion False positives

VPNs
Firewall

Internet

Intranet

Home Network

VPNs and Firewalls

VPN goals
Home computer / laptop on the road can be on corporate network

VPN issues
Home networks less protected than corporate network Attacks can vector through VPN

Mitigation
Require protection on computers using VPN More restrictive FW policy on VPN connections

Blurring of the Perimeter

VPNs Complicated network connections with multiple partners Wireless networks Laptops Malicious insiders
Worms / compromised computers can be seen as malicious insiders

Host-based approaches
Host-based IDS
Earlier types of IDS were all host-based Can get better insight into host behavior But more susceptible to compromise

Host-based firewalls
Your laptop and desktop probably have this functionality already

Challenge: management
Require all users to install firewall / IDS product, manage policies, configuration, and logs centrally

Alternate approach: FW/IDS in routers and switches

If you want to learn more...

Take CS460 lab course
Hands on experience with firewalls and IDSs

Take CS463 course

More detailed coverage of intrusion detection

Key points
Perimeter security is popular
Cheap, convenient, effective(?) Firewalls and IDSs most common tools for network security

Firewalls and IDSs fighting an uphill battle

Both attackers and legitimate users struggle to avoid/evade them

Security management is a key challenge