防火墙

1. Background

network access policy

  • default-deny principle

Data Formats

Network attacks

  • Port scanning
  • IP spoofing
  • Packet sniffing

    Normally, NIC only picks up packets destined to this MAC address. But, if the NIC card is set to promiscuous mode(混杂模式), then all the packets on the channel will be picked up

  • DoS (Denial of Service) attacks
    • smurf attack (大量icmp echo Request, ping)

2. Stateless Firewall(无状态防火墙)

Filtering rules (network access policy) are defined based on source/dest addresses, source/dest ports, and TCP flags (SYN/ACK).

3. Stateful (Dynamic Packet Filtering) Firewalls (状态防火墙)

Stateful firewalls filter packets based on the full context of a session

3.1. Stateless vs Stateful

  • stateful firewalls are more vulnerable to DDoS (Distributed Denial of Service) attacks due to the intense computational and storage resources they require
  • Stateless firewalls offer higher throughput and lower cost, but a lower level of security

4. NAT (Network Address Translation)

  • Network Address Translation (NAT) simply rewrites Source and/or Dest addresses.
  • Port Address Translation (PAT) allows multiple hosts to share a single IP address via port mapping
  • PAT can be considered as a subset of NAT, and NAT is often used generically to mean all forms of NAT/PAT.
  • By using NAT, multiple hosts can share a single (or limited) IP address space

5. Firewall Complications/ Problems

  • IP Fragmentation DoS attack

    Reassembly (defragmentation) can only take place when all fragments are in. UDP/ICMP-based fragmentation attacks usually submit fake fragments that cannot be defragmented. Temporary storage of the fragments takes up memory and, in the worst-case scenario, may exhaust the available memory resources.

    • In other words, the 110 ICMP packet is broken into 5 fragments, with total lengths of 40, 40, 40, 40 and 30 bytes respectively (the ICMP data is broken into lengths of 12, 20, 20, 20, and 10 bytes each).
    • From 2nd Fragment onwards, each fragment contains an IP header BUT no ICMP header.This type of fragments can easily sneak through a stateless firewall. For example, for a stateless packet filter that blocks inbound ICMP echo request, upon seeing the first fragment, it will drop it, whereas the rest of the fragments will creep through successfully.
    • 可以通过:Create a list containing the Identifier (SA/DA/PROT/ID) of this fragment (zero-offset packet) + filtering decision, 但会导致Overlapping Fragment attack
  • Overlapping Fragment attack

    A TCP-based fragmentation attack (also known as teardrop), however, is usually directed against the defragmentation mechanisms of the target systems or security components. Overlapping packets are sent that, in extreme cases, may lead to the target system freezing up, depending on the operating system.

    Overlapping fragments may also be used in an attempt to bypass Intrusion Detection Systems. In this exploit, part of an attack is sent in fragments along with additional random data; future fragments may overwrite the random data with the remainder of the attack. If the completed packet is not properly reassembled at the IDS, the attack will go undetected

  • DF bit is set to 0 (meaning “May Fragment”)
  • MF bit is set to 0 (meaning “Last Fragment”)

5.1. Countermeasure – Proxy Firewall

A proxy firewall, also called “application-level gateway”, filter traffic at the application layer; it performs deeper packet inspections than the network layer firewalls.

  • With a proxy-aware router, client’s request is intercepted(拦截) and directed to a proxy server
  • 在接收到HTTP请求后,代理服务器代表用户打开一个到目标Web服务器的新的HTTP连接(只有当请求与服务器上配置的安全策略匹配时才完成此步骤);代理还将响应转发回用户

5.1.1. Pros and Cons

Pros

  • 可以执行更严格的安全策略。
  • 可以更有效地执行数据记录。
  • 允许网络缓存来提高连接性能。

Cons

  • 如果没有缓存和适当的缓存管理,会对用户感知的性能产生重大影响。
  • 当添加新的应用程序时,需要为应用网关开发新的代理服务器。
  • 因为所有的请求都是通过代理服务器传输的,所以它可能是一个单点故障

6. Architecture

Screening router(筛选路由器)

  • router和filter一体化
  • low cost

Dual-homed Host(双宿主)

To use a dual-homed host as a firewall, the routing function is disabled – this is the fundamental difference between this architecture and the screening router.

Hosts on internal net can not talk directly to the hosts on the Internet, and vice versa; they must do so via proxy.

Two ways to communicate with the Internet: proxying, or direct log into the Dual-homed host.

  • 耗费更大、单点故障

Screened/Bastion Host(堡垒主机)

  • 筛选路由器的配置使得堡垒主机是内部网络上唯一在互联网上可见的系统(堡垒机的意义就在于托管需要被外网可见的服务)
  • two levels of protection
    • primary security: provided by screening router
    • secondary security: provided by proxying via Bastion Host

Screened Subnet

It adds an extra layer of security to the screened host architecture by adding a perimeter network that further isolates the internal network from the Internet

  • Perimeter network(边缘网络)
    • 如果有人闯入周界网络上的堡垒主机,他们将只能窥探周界网络上的流量,内部网络上的流量受到保护
  • An exterior filtering router is to protect both perimeter/internal nets from
    the Interne
    • Intrusion detection and auditing should be incorporated at network perimeter points

7. 总结

strengths

  • 控制访问
  • 保护隐私
  • 审计流量与数据
    drawbacks
  • 无法保护内部恶意人士or内部主机跳板
  • 不正确or不全面的配置将导致不安全

8. 更多参考

  • 信安小知识-8
  • iptables实验