Network Security - Ingegneria - Università degli Studi di Brescia
Download
Report
Transcript Network Security - Ingegneria - Università degli Studi di Brescia
Network Security
Part 2: protocols and systems
(f) Firewalls and VPNs (overview)
Università degli Studi di Brescia
Dipartimento di Ingegneria dell’Informazione
2014/2015
Security perimeter
Outsider
Insider
Outsider
Firewall
Internet
- Access control, monitoring
and management. Differentiate
between insiders and outsiders
Protected resources
- Different types of outsiders
Protected resources
Perimeter
Copyright © 2004-2014 Francesco Gringoli & Luca Salgarelli <[email protected]> - All rights reserved
Other networks
Security perimeter’s main components:
firewalls
Outsider
Insider
Firewall
Internet
Outsider
• Firewalls separate
insiders from outsiders,
and differentiate between
different insider’s traffic
types
• Filtering policies can be
▫ Stateless
Protected resources ▫ Stateful
Protected resources
Perimeter
• Application Level
Gateway (ALG) must be
implemented for protocols
that do not respect
layering (e.g., FTP), and
when NATs are involved
Copyright © 2004-2014 Francesco Gringoli & Luca Salgarelli <[email protected]> - All rights reserved
Security perimeter’s main components:
firewalls
Outsider
Insider
SSL tunnel
Firewall
Internet
• In some cases, certain
outsiders can temporarily
become insiders
▫ Independently of the
traffic type, in case of
proper (layer-3) Virtual
Private Networks
▫ Only for certain traffic
classes, in the case of
Protected resources
SSL/TLS, SSH, etc.
These are layer-4 VPNs
VPN (e.g.,
IPSec)
Protected resources
• Firewalls not only block
unwanted traffic: they also
need to limit dangerous
traffic, such as DoS, etc.
Perimeter
Copyright © 2004-2014 Francesco Gringoli & Luca Salgarelli <[email protected]> - All rights reserved
Firewall architectures
• SW-only on general purpose processors
▫ Most economical and flexible approach
▫ Main problem: limited throughput, especially when
encryption is needed (for VPNs)
• SW on general purpose processors + cryptographic HW
acceleration
• Dedicated HW (router)
▫ Costly solution, usually based on proprietary architectures
▫ In many circumstances, e.g., when Gb/s links are
involved, this is the only viable solution
Copyright © 2004-2014 Francesco Gringoli & Luca Salgarelli <[email protected]> - All rights reserved
Firewalled network architectures
De-Militarized Zones (DMZ)
• A DMZ is (inappropriately) defined as a
set of one or more subnets that are
attached to the firewall’s interface with
the lowest security policies
Internet
▫ The actual DMZ, with respect to “military
terminology”, should be the firewall’s
interface towards Internet
Firewall
Protected resources
DMZ
Protected resources
• Servers that must be accessible both
from the Internet and from the internal
networks are placed on the DMZ
▫ E.g.: e-mail servers, VPN servers, DNS
servers, etc.
Protected resources
Copyright © 2004-2014 Francesco Gringoli & Luca Salgarelli <[email protected]> - All rights reserved
Firewalled network architectures
DMZ with two firewalls
Internet
Firewall 1
Firewall 2
Protected resources
DMZ
Protected resources
Protected resources
Copyright © 2004-2014 Francesco Gringoli & Luca Salgarelli <[email protected]> - All rights reserved
Configuring a firewall: a complex procedure
• Never use “generic” rules
▫ For example, traffic to port 25 (SMTP) should be allowed only towards e-mail
servers on the DMZ, never towards all servers on the DMZ
• Careful with what you filter
▫ Never filter (completely) ICMP!
▫ An example of a correct configuration:
Block ICMP packets that can carry attacks such as redirect, timestamp-request and reply,
information request, etc.
Filter and limit other ICMP types, such as echo-request, destination-unreachable, etc.
• Problems with many legitimate applications that violate layering
▫ FTP
▫ H.323
▫ Chat, etc.
• Managing the DMZ, especially when the configuration of servers changes
frequently, is a boring and complex task
Copyright © 2004-2014 Francesco Gringoli & Luca Salgarelli <[email protected]> - All rights reserved
Layer-3 VPN technologies
Outsider
Insider
Firewall
Internet
VPN Tunnel
(e.g., IPSec)
Protected resources
Outsider
• Two main types:
▫ IPSec
▫ PPTP/L2TP
• Open a virtual, secure
layer-3 channel to the
inside of a network
Protected resources
▫ The client
temporarily
becomes an insider
at layer-3
Perimeter
Copyright © 2004-2014 Francesco Gringoli & Luca Salgarelli <[email protected]> - All rights reserved
Layer-4 VPN technologies
Outsider
Insider
SSL Tunnel
Firewall
Internet
Protected resources
Outsider
• Main approaches:
▫ SSL/TLS (stunnel)
▫ SSH
• The tunnel in this
case is at the
application layer
• Potential problems
Protected resources
with long-term TCPover-TCP
connections
Perimeter
Copyright © 2004-2014 Francesco Gringoli & Luca Salgarelli <[email protected]> - All rights reserved