Session ES132

Implementing Firewalls & Proxy Servers

Robert Gezelter Software Consultant 35 – 20 167th Street, Suite 215 Flushing, New York 11358 – 1731 United States of America +1 718 463 1079 [email protected]

Tuesday, November 9, 1998 1:30 pm – 2:50 am Room 11B Fall 1999 US DECUS Symposium San Diego Convention Center San Diego, California Implementing Firewalls & Proxy Servers Slide 1

Robert Gezelter

 1998, Robert Gezelter, All Rights Reserved +1 718 463 1079

Software Consultant 35 – 20 167th Street, Suite 215, Flushing, New York 11358 – 1731 USA

Software Installation Notes — General • Keep Notes Regardless of whether you are running a single Pentium with Microsoft RRAS and Proxy Server; or a major corporation with hundreds of routers, firewalls and servers, the Goal is the same —

• Make Backups • Use a Test Environment • Use Blackboards

survival.

Implementing Firewalls & Proxy Servers Slide 2

Implementing Firewalls & Proxy Servers Slide 3

 1998, Robert Gezelter, All Rights Reserved

Robert Gezelter

Robert Gezelter

Software Consultant

Software Consultant

NOTES

2

 1998, Robert Gezelter, All Rights Reserved

Common Corporate Model

Software Installation Notes — WNT Specific • GUI Managed — Keep Notes • Read ALL WWW pages FIRST

Host Computer A

• Make Backups

Host Computer B

Host Computer C

• Make NEW Recovery Diskette OFTEN! Firewall

• Significantly more fragile than OpenVMS • Registry Hazards

Implementing Firewalls & Proxy Servers Slide 4

Implementing Firewalls & Proxy Servers Slide 5

 1998, Robert Gezelter, All Rights Reserved

Robert Gezelter

Robert Gezelter

Software Consultant

Software Consultant

NOTES

3

 1998, Robert Gezelter, All Rights Reserved

Common Corporate Reality

Trust Department

Common Corporate Model

Mergers & Acquisitions

Merchant Bank

Host C

Acme Financial Corporation

Host D

Department A1 Firewall

Host C

Host D

Department A2 Firewall

Encrypted Tunnel

Corporate Firewall

Implementing Firewalls & Proxy Servers Slide 6

Implementing Firewalls & Proxy Servers Slide 7

 1998, Robert Gezelter, All Rights Reserved

Robert Gezelter

Robert Gezelter

Software Consultant

Software Consultant

NOTES

4

 1998, Robert Gezelter, All Rights Reserved

Introduction

Goals

Issues and Definitions • What are Firewalls and Proxy Servers?

Terminology Us/Them

• How to use a single IP address to serve the entire organization

Services

• Why caching is central to performance

Topologies

• Establish Channels and Controls

Implementing Firewalls & Proxy Servers Slide 8

Implementing Firewalls & Proxy Servers Slide 9

 1998, Robert Gezelter, All Rights Reserved

Robert Gezelter

Robert Gezelter

Software Consultant

Software Consultant

NOTES

5

 1998, Robert Gezelter, All Rights Reserved

Terminology • IP Address

Application

• Domain Name System DNS

ISO Open Systems Interconnect Model

• Bridges • Routers • Firewalls

Presentation Session Transport Network Data Link

• Proxy Physical

Implementing Firewalls & Proxy Servers Slide 10

Implementing Firewalls & Proxy Servers Slide 11

 1998, Robert Gezelter, All Rights Reserved

Robert Gezelter

Robert Gezelter

Software Consultant

Software Consultant

NOTES

6

 1998, Robert Gezelter, All Rights Reserved

IP Address

Domain Name System

• 32-bits (IPv4)

• Translates Name into IP Addresses

• Written as ddd.ddd.ddd.ddd

• Distributed, cached database

• Assigned by ISP/InterNIC

• Hierarchical Name Space

• Address Classes: A, B, C

• Security issues

• CIDR (Classless Inter Domain Routing)

• Root Level Domains • Who controls your entries

• Shortened OSI Implementation

Implementing Firewalls & Proxy Servers Slide 12

Implementing Firewalls & Proxy Servers Slide 13

 1998, Robert Gezelter, All Rights Reserved

Robert Gezelter

Robert Gezelter

Software Consultant

Software Consultant

NOTES

7

 1998, Robert Gezelter, All Rights Reserved

Bridges

Routers

• Data Link level

• Network Level

• LAN/LAN

• Can Screen Packets by address/protocol

• Sometimes filtering • No application knowledge • Stateless • Ownership • Access

Implementing Firewalls & Proxy Servers Slide 14

Implementing Firewalls & Proxy Servers Slide 15

 1998, Robert Gezelter, All Rights Reserved

Robert Gezelter

Robert Gezelter

Software Consultant

Software Consultant

NOTES

8

 1998, Robert Gezelter, All Rights Reserved

Firewall

Proxy

• Not Generally Defined Term

• Not well defined

• Intended as choke point

• Can be Routing, or Application

• Point of control

• May or may not include checking

• Point of access

• Acts on behalf of

• Access Control

• Can be simple or complex

• Validation/Authentication

Implementing Firewalls & Proxy Servers Slide 16

Implementing Firewalls & Proxy Servers Slide 17

 1998, Robert Gezelter, All Rights Reserved

Robert Gezelter

Robert Gezelter

Software Consultant

Software Consultant

NOTES

9

 1998, Robert Gezelter, All Rights Reserved

The Gestalt of it All

Us vs. Them

• on the Internet; the nobody has "evolutionary dominance"

• Who NEEDS to know?

• Hubris

• What is permissible?

• Social Engineering II — Information Warfare

• What is safe?

• Who NEEDS to do what?

• Not black/white • Like to Know/Need to Know • VERY Gray!

Implementing Firewalls & Proxy Servers Slide 18

Implementing Firewalls & Proxy Servers Slide 19

 1998, Robert Gezelter, All Rights Reserved

Robert Gezelter

Robert Gezelter

Software Consultant

Software Consultant

NOTES

10

 1998, Robert Gezelter, All Rights Reserved

Services

Facilities

• FTP

• Virtual Private Networks

• Telnet

• Dial-up

• HTTP

• Authentication

• Gopher

• Credentials

• DNS • PING • FINGER, ...

Implementing Firewalls & Proxy Servers Slide 20

Implementing Firewalls & Proxy Servers Slide 21

 1998, Robert Gezelter, All Rights Reserved

Robert Gezelter

Robert Gezelter

Software Consultant

Software Consultant

NOTES

11

 1998, Robert Gezelter, All Rights Reserved

Trust

Policies and Politics • Company policies

Trust is the fundamental problem in the online connected world.

• Disclosure

Today’s environment requires a flexible trust model; including:

• Defamation/Harrassment

• colleagues

• Access Control

• collaborators

• Regulations

• competitors

• Auditing • Accountability • Monopoly on Force

Implementing Firewalls & Proxy Servers Slide 22

Implementing Firewalls & Proxy Servers Slide 23

 1998, Robert Gezelter, All Rights Reserved

Robert Gezelter

Robert Gezelter

Software Consultant

Software Consultant

NOTES

12

 1998, Robert Gezelter, All Rights Reserved

Security Eco-system

Security Eco-system

A Firewall (or Firewalls) do not exist in a vacuum, they are part and parcel of the entire security plan.

Implementing Firewalls & Proxy Servers Slide 24

Before you can sit down to plan your configuration, you need to well understand your environment.

Implementing Firewalls & Proxy Servers Slide 25

 1998, Robert Gezelter, All Rights Reserved

Robert Gezelter

Robert Gezelter

Software Consultant

Software Consultant

NOTES

13

 1998, Robert Gezelter, All Rights Reserved

Common Corporate Model

Host Computer A

Host Computer B

Common Corporate Reality

Host Computer C Trust Department

Firewall

Mergers & Acquisitions

Merchant Bank Acme Financial Corporation

Implementing Firewalls & Proxy Servers Slide 26

Implementing Firewalls & Proxy Servers Slide 27

 1998, Robert Gezelter, All Rights Reserved

Robert Gezelter

Robert Gezelter

Software Consultant

Software Consultant

NOTES

14

 1998, Robert Gezelter, All Rights Reserved

Complementary Technologies/Strategies

Hidden Subnetworks RFC 1597

• Hidden Subnets (RFC 1597) • Virtual Private Networks • Multi-level DNS • DHCP restrictions

Implementing Firewalls & Proxy Servers Slide 28

Implementing Firewalls & Proxy Servers Slide 29

 1998, Robert Gezelter, All Rights Reserved

Robert Gezelter

Robert Gezelter

Software Consultant

Software Consultant

NOTES

15

 1998, Robert Gezelter, All Rights Reserved

"Overall, he judged it to be better to be invisible than agile ..."

Routers filter packets based upon source and destination addresses and protocol type. Their efficacy is limited.

– Red Storm Rising

Implementing Firewalls & Proxy Servers Slide 30

Implementing Firewalls & Proxy Servers Slide 31

 1998, Robert Gezelter, All Rights Reserved

Robert Gezelter

Robert Gezelter

Software Consultant

Software Consultant

NOTES

16

 1998, Robert Gezelter, All Rights Reserved

Firewalls (bastion hosts) should be the exclusive "ports of entry" into your internal network. These concerns also apply to nested security environments.

Many assets are now addressable via IP, from printers to PBXes. It is highly undesireable that most of these resources be accessable from outside the security perimeter.

Implementing Firewalls & Proxy Servers Slide 32

Implementing Firewalls & Proxy Servers Slide 33

 1998, Robert Gezelter, All Rights Reserved

Robert Gezelter

Robert Gezelter

Software Consultant

Software Consultant

NOTES

17

 1998, Robert Gezelter, All Rights Reserved

RFC 1597 is a scheme which reserves a portion of the IPv4 address space for guaranteed internal use in non-publicly addressible networks.

Enter RFC 1597 – Address Allocation for Private Internets

Implementing Firewalls & Proxy Servers Slide 34

Implementing Firewalls & Proxy Servers Slide 35

 1998, Robert Gezelter, All Rights Reserved

Robert Gezelter

Robert Gezelter

Software Consultant

Software Consultant

NOTES

18

 1998, Robert Gezelter, All Rights Reserved

What is reserved by RFC 1597?

RFC 1597 Intent

Guaranteed non-public allocation of:

Permit the connection of large numbers of local devices to LANs via IP without requiring every LAN to hold a Class A address space. It is worth noting that even a private residence could easily overflow a Class C address space.

• 1 Class A Address Block (10.0.0.0 – 10.255.255.255) • 16 Class B Address Blocks (172.16.0.0 – 172.131.255.255) • 255 Class C Address Blocks (192.168.0.0 – 192.168.255.255)

Implementing Firewalls & Proxy Servers Slide 36

Implementing Firewalls & Proxy Servers Slide 37

 1998, Robert Gezelter, All Rights Reserved

Robert Gezelter

Robert Gezelter

Software Consultant

Software Consultant

NOTES

19

 1998, Robert Gezelter, All Rights Reserved

Implications of RFC 1597

Router Configuration

• Repeatedly sub-divideable • Access Providers should filter the RFC 1597 Address Blocks

• internal nodes (workstations, servers, PCs) cannot connect to outside servers EXCEPT through an approved application proxy on an outside addressable host.

• Nested internal routers should filter addresses • Your router outside your firewall should filter RFC 1597 addresses

• inbound connections must go through approved proxies on the (externally visible) gateways • internal nodes need not be renumbered due to changes in externally visible address ranges caused by CIDR adjustments and/or access provider changes. Implementing Firewalls & Proxy Servers Slide 38

Implementing Firewalls & Proxy Servers Slide 39

 1998, Robert Gezelter, All Rights Reserved

Robert Gezelter

Robert Gezelter

Software Consultant

Software Consultant

NOTES

20

 1998, Robert Gezelter, All Rights Reserved

Router Implications

RFC 1597 and Domain Name Services

• Internal hosts (possibly nested) are invisible to systems outside the firewall

• Internal DNS serving • External DNS serving

• Even if your router fails, the from address is ambiguous

• Implications

• The previous note is not as safe as might be perceived, an attack on your link might be feasible.

Host C

Host D

Department A1 Firewall

Host C

Host D

Department A2 Firewall

Corporate Firewall

Implementing Firewalls & Proxy Servers Slide 40

Implementing Firewalls & Proxy Servers Slide 41

 1998, Robert Gezelter, All Rights Reserved

Robert Gezelter

Robert Gezelter

Software Consultant

Software Consultant

NOTES

21

 1998, Robert Gezelter, All Rights Reserved

Internal DNS

External DNS

• Final authority on nodes inside the firewall

• all internal mail targets are represented by MX records

• Uses firewall to resolve external DNS

• Internal nodes which are not to be addressed may be totally absent from the External DNS

Host C

Host D

Department A1 Firewall

Host C

Host D

Host C

Department A2 Firewall

Department A1 Firewall

Corporate Firewall

Implementing Firewalls & Proxy Servers Slide 42

Host D

Host C

Host D

Department A2 Firewall

Corporate Firewall

Implementing Firewalls & Proxy Servers Slide 43

 1998, Robert Gezelter, All Rights Reserved

Robert Gezelter

Robert Gezelter

Software Consultant

Software Consultant

NOTES

22

 1998, Robert Gezelter, All Rights Reserved

DNS Implications

Relationship Connectivity

• SMTP mail is forced to the route through the gateway

• RFC 1597 address can be used together with careful management to protect IP links with business and strategic partners

• FTP, TELNET, HTTP cannot even resolve the address of interior systems.

• Mutual distrust • "No Man’s" land

Host C

Host D

Department A1 Firewall

Host C

Host D

Host C

Department A2 Firewall

Department A1 Firewall

Corporate Firewall

Implementing Firewalls & Proxy Servers Slide 44

Host D

Host C

Host D

Department A2 Firewall

Corporate Firewall

Implementing Firewalls & Proxy Servers Slide 45

 1998, Robert Gezelter, All Rights Reserved

Robert Gezelter

Robert Gezelter

Software Consultant

Software Consultant

NOTES

23

 1998, Robert Gezelter, All Rights Reserved

Summary

Corporate Strategy

RFC 1597 provides and excellent framework for implementing an environment which enhances the safety support provided by your firewall(s)

• Keep things outside • Minimize Trust • Minimize Exposure • Minimize Firewall use • Public/Semipublic Outside • Nest Security/Access Domains • Parents AND Sibling Domains

Implementing Firewalls & Proxy Servers Slide 46

Implementing Firewalls & Proxy Servers Slide 47

 1998, Robert Gezelter, All Rights Reserved

Robert Gezelter

Robert Gezelter

Software Consultant

Software Consultant

NOTES

24

 1998, Robert Gezelter, All Rights Reserved

General Corporate Implementation

Virtual Private Networks • Use Encryption • Caution: Derived Trust

Host Computer A

Host Computer B

Host Computer C

• Efficient Solution • Ease of Use • Make it easy to be good

Bastion WWW Server

Implementing Firewalls & Proxy Servers Slide 48

FTP Server

Implementing Firewalls & Proxy Servers Slide 49

 1998, Robert Gezelter, All Rights Reserved

Robert Gezelter

Robert Gezelter

Software Consultant

Software Consultant

NOTES

25

 1998, Robert Gezelter, All Rights Reserved

Multi-level DNS

DHCP restrictions

• Keep inside invisible

• Within domain

• Mail headers

• Within physical department

• Fake Authorities

• DO NOT Proxy

• Ambiguities

• Point of attack • Availability issues

Implementing Firewalls & Proxy Servers Slide 50

Implementing Firewalls & Proxy Servers Slide 51

 1998, Robert Gezelter, All Rights Reserved

Robert Gezelter

Robert Gezelter

Software Consultant

Software Consultant

NOTES

26

 1998, Robert Gezelter, All Rights Reserved

Bibliography Hutt, Bosworth, Hoytt "The Computer Security Handbook, 3rd Edition/Updated", John Wiley & Son

Questions?

Internet RFCs

Robert Gezelter Software Consultant 35 – 20 167th Street, Suite 215 Flushing, New York 11358 – 1731 United States of America

Littman "The Fugitive Game" Little Brown Stoll, Clifford "The Cuckoo’s Egg"

Implementing Firewalls & Proxy Servers Slide 52

+1 718 463 1079 [email protected]

Implementing Firewalls & Proxy Servers Slide 53

 1998, Robert Gezelter, All Rights Reserved

Robert Gezelter

Robert Gezelter

Software Consultant

Software Consultant

NOTES

27

 1998, Robert Gezelter, All Rights Reserved

+1 718 463 1079 35 – 20 167th Street, Suite 215, Flushing, New York 11358 – 1731 USA