Session ES132
Implementing Firewalls & Proxy Servers
Robert Gezelter Software Consultant 35 – 20 167th Street, Suite 215 Flushing, New York 11358 – 1731 United States of America +1 718 463 1079
[email protected]
Tuesday, November 9, 1998 1:30 pm – 2:50 am Room 11B Fall 1999 US DECUS Symposium San Diego Convention Center San Diego, California Implementing Firewalls & Proxy Servers Slide 1
Robert Gezelter
1998, Robert Gezelter, All Rights Reserved +1 718 463 1079
Software Consultant 35 – 20 167th Street, Suite 215, Flushing, New York 11358 – 1731 USA
Software Installation Notes — General • Keep Notes Regardless of whether you are running a single Pentium with Microsoft RRAS and Proxy Server; or a major corporation with hundreds of routers, firewalls and servers, the Goal is the same —
• Make Backups • Use a Test Environment • Use Blackboards
survival.
Implementing Firewalls & Proxy Servers Slide 2
Implementing Firewalls & Proxy Servers Slide 3
1998, Robert Gezelter, All Rights Reserved
Robert Gezelter
Robert Gezelter
Software Consultant
Software Consultant
NOTES
2
1998, Robert Gezelter, All Rights Reserved
Common Corporate Model
Software Installation Notes — WNT Specific • GUI Managed — Keep Notes • Read ALL WWW pages FIRST
Host Computer A
• Make Backups
Host Computer B
Host Computer C
• Make NEW Recovery Diskette OFTEN! Firewall
• Significantly more fragile than OpenVMS • Registry Hazards
Implementing Firewalls & Proxy Servers Slide 4
Implementing Firewalls & Proxy Servers Slide 5
1998, Robert Gezelter, All Rights Reserved
Robert Gezelter
Robert Gezelter
Software Consultant
Software Consultant
NOTES
3
1998, Robert Gezelter, All Rights Reserved
Common Corporate Reality
Trust Department
Common Corporate Model
Mergers & Acquisitions
Merchant Bank
Host C
Acme Financial Corporation
Host D
Department A1 Firewall
Host C
Host D
Department A2 Firewall
Encrypted Tunnel
Corporate Firewall
Implementing Firewalls & Proxy Servers Slide 6
Implementing Firewalls & Proxy Servers Slide 7
1998, Robert Gezelter, All Rights Reserved
Robert Gezelter
Robert Gezelter
Software Consultant
Software Consultant
NOTES
4
1998, Robert Gezelter, All Rights Reserved
Introduction
Goals
Issues and Definitions • What are Firewalls and Proxy Servers?
Terminology Us/Them
• How to use a single IP address to serve the entire organization
Services
• Why caching is central to performance
Topologies
• Establish Channels and Controls
Implementing Firewalls & Proxy Servers Slide 8
Implementing Firewalls & Proxy Servers Slide 9
1998, Robert Gezelter, All Rights Reserved
Robert Gezelter
Robert Gezelter
Software Consultant
Software Consultant
NOTES
5
1998, Robert Gezelter, All Rights Reserved
Terminology • IP Address
Application
• Domain Name System DNS
ISO Open Systems Interconnect Model
• Bridges • Routers • Firewalls
Presentation Session Transport Network Data Link
• Proxy Physical
Implementing Firewalls & Proxy Servers Slide 10
Implementing Firewalls & Proxy Servers Slide 11
1998, Robert Gezelter, All Rights Reserved
Robert Gezelter
Robert Gezelter
Software Consultant
Software Consultant
NOTES
6
1998, Robert Gezelter, All Rights Reserved
IP Address
Domain Name System
• 32-bits (IPv4)
• Translates Name into IP Addresses
• Written as ddd.ddd.ddd.ddd
• Distributed, cached database
• Assigned by ISP/InterNIC
• Hierarchical Name Space
• Address Classes: A, B, C
• Security issues
• CIDR (Classless Inter Domain Routing)
• Root Level Domains • Who controls your entries
• Shortened OSI Implementation
Implementing Firewalls & Proxy Servers Slide 12
Implementing Firewalls & Proxy Servers Slide 13
1998, Robert Gezelter, All Rights Reserved
Robert Gezelter
Robert Gezelter
Software Consultant
Software Consultant
NOTES
7
1998, Robert Gezelter, All Rights Reserved
Bridges
Routers
• Data Link level
• Network Level
• LAN/LAN
• Can Screen Packets by address/protocol
• Sometimes filtering • No application knowledge • Stateless • Ownership • Access
Implementing Firewalls & Proxy Servers Slide 14
Implementing Firewalls & Proxy Servers Slide 15
1998, Robert Gezelter, All Rights Reserved
Robert Gezelter
Robert Gezelter
Software Consultant
Software Consultant
NOTES
8
1998, Robert Gezelter, All Rights Reserved
Firewall
Proxy
• Not Generally Defined Term
• Not well defined
• Intended as choke point
• Can be Routing, or Application
• Point of control
• May or may not include checking
• Point of access
• Acts on behalf of
• Access Control
• Can be simple or complex
• Validation/Authentication
Implementing Firewalls & Proxy Servers Slide 16
Implementing Firewalls & Proxy Servers Slide 17
1998, Robert Gezelter, All Rights Reserved
Robert Gezelter
Robert Gezelter
Software Consultant
Software Consultant
NOTES
9
1998, Robert Gezelter, All Rights Reserved
The Gestalt of it All
Us vs. Them
• on the Internet; the nobody has "evolutionary dominance"
• Who NEEDS to know?
• Hubris
• What is permissible?
• Social Engineering II — Information Warfare
• What is safe?
• Who NEEDS to do what?
• Not black/white • Like to Know/Need to Know • VERY Gray!
Implementing Firewalls & Proxy Servers Slide 18
Implementing Firewalls & Proxy Servers Slide 19
1998, Robert Gezelter, All Rights Reserved
Robert Gezelter
Robert Gezelter
Software Consultant
Software Consultant
NOTES
10
1998, Robert Gezelter, All Rights Reserved
Services
Facilities
• FTP
• Virtual Private Networks
• Telnet
• Dial-up
• HTTP
• Authentication
• Gopher
• Credentials
• DNS • PING • FINGER, ...
Implementing Firewalls & Proxy Servers Slide 20
Implementing Firewalls & Proxy Servers Slide 21
1998, Robert Gezelter, All Rights Reserved
Robert Gezelter
Robert Gezelter
Software Consultant
Software Consultant
NOTES
11
1998, Robert Gezelter, All Rights Reserved
Trust
Policies and Politics • Company policies
Trust is the fundamental problem in the online connected world.
• Disclosure
Today’s environment requires a flexible trust model; including:
• Defamation/Harrassment
• colleagues
• Access Control
• collaborators
• Regulations
• competitors
• Auditing • Accountability • Monopoly on Force
Implementing Firewalls & Proxy Servers Slide 22
Implementing Firewalls & Proxy Servers Slide 23
1998, Robert Gezelter, All Rights Reserved
Robert Gezelter
Robert Gezelter
Software Consultant
Software Consultant
NOTES
12
1998, Robert Gezelter, All Rights Reserved
Security Eco-system
Security Eco-system
A Firewall (or Firewalls) do not exist in a vacuum, they are part and parcel of the entire security plan.
Implementing Firewalls & Proxy Servers Slide 24
Before you can sit down to plan your configuration, you need to well understand your environment.
Implementing Firewalls & Proxy Servers Slide 25
1998, Robert Gezelter, All Rights Reserved
Robert Gezelter
Robert Gezelter
Software Consultant
Software Consultant
NOTES
13
1998, Robert Gezelter, All Rights Reserved
Common Corporate Model
Host Computer A
Host Computer B
Common Corporate Reality
Host Computer C Trust Department
Firewall
Mergers & Acquisitions
Merchant Bank Acme Financial Corporation
Implementing Firewalls & Proxy Servers Slide 26
Implementing Firewalls & Proxy Servers Slide 27
1998, Robert Gezelter, All Rights Reserved
Robert Gezelter
Robert Gezelter
Software Consultant
Software Consultant
NOTES
14
1998, Robert Gezelter, All Rights Reserved
Complementary Technologies/Strategies
Hidden Subnetworks RFC 1597
• Hidden Subnets (RFC 1597) • Virtual Private Networks • Multi-level DNS • DHCP restrictions
Implementing Firewalls & Proxy Servers Slide 28
Implementing Firewalls & Proxy Servers Slide 29
1998, Robert Gezelter, All Rights Reserved
Robert Gezelter
Robert Gezelter
Software Consultant
Software Consultant
NOTES
15
1998, Robert Gezelter, All Rights Reserved
"Overall, he judged it to be better to be invisible than agile ..."
Routers filter packets based upon source and destination addresses and protocol type. Their efficacy is limited.
– Red Storm Rising
Implementing Firewalls & Proxy Servers Slide 30
Implementing Firewalls & Proxy Servers Slide 31
1998, Robert Gezelter, All Rights Reserved
Robert Gezelter
Robert Gezelter
Software Consultant
Software Consultant
NOTES
16
1998, Robert Gezelter, All Rights Reserved
Firewalls (bastion hosts) should be the exclusive "ports of entry" into your internal network. These concerns also apply to nested security environments.
Many assets are now addressable via IP, from printers to PBXes. It is highly undesireable that most of these resources be accessable from outside the security perimeter.
Implementing Firewalls & Proxy Servers Slide 32
Implementing Firewalls & Proxy Servers Slide 33
1998, Robert Gezelter, All Rights Reserved
Robert Gezelter
Robert Gezelter
Software Consultant
Software Consultant
NOTES
17
1998, Robert Gezelter, All Rights Reserved
RFC 1597 is a scheme which reserves a portion of the IPv4 address space for guaranteed internal use in non-publicly addressible networks.
Enter RFC 1597 – Address Allocation for Private Internets
Implementing Firewalls & Proxy Servers Slide 34
Implementing Firewalls & Proxy Servers Slide 35
1998, Robert Gezelter, All Rights Reserved
Robert Gezelter
Robert Gezelter
Software Consultant
Software Consultant
NOTES
18
1998, Robert Gezelter, All Rights Reserved
What is reserved by RFC 1597?
RFC 1597 Intent
Guaranteed non-public allocation of:
Permit the connection of large numbers of local devices to LANs via IP without requiring every LAN to hold a Class A address space. It is worth noting that even a private residence could easily overflow a Class C address space.
• 1 Class A Address Block (10.0.0.0 – 10.255.255.255) • 16 Class B Address Blocks (172.16.0.0 – 172.131.255.255) • 255 Class C Address Blocks (192.168.0.0 – 192.168.255.255)
Implementing Firewalls & Proxy Servers Slide 36
Implementing Firewalls & Proxy Servers Slide 37
1998, Robert Gezelter, All Rights Reserved
Robert Gezelter
Robert Gezelter
Software Consultant
Software Consultant
NOTES
19
1998, Robert Gezelter, All Rights Reserved
Implications of RFC 1597
Router Configuration
• Repeatedly sub-divideable • Access Providers should filter the RFC 1597 Address Blocks
• internal nodes (workstations, servers, PCs) cannot connect to outside servers EXCEPT through an approved application proxy on an outside addressable host.
• Nested internal routers should filter addresses • Your router outside your firewall should filter RFC 1597 addresses
• inbound connections must go through approved proxies on the (externally visible) gateways • internal nodes need not be renumbered due to changes in externally visible address ranges caused by CIDR adjustments and/or access provider changes. Implementing Firewalls & Proxy Servers Slide 38
Implementing Firewalls & Proxy Servers Slide 39
1998, Robert Gezelter, All Rights Reserved
Robert Gezelter
Robert Gezelter
Software Consultant
Software Consultant
NOTES
20
1998, Robert Gezelter, All Rights Reserved
Router Implications
RFC 1597 and Domain Name Services
• Internal hosts (possibly nested) are invisible to systems outside the firewall
• Internal DNS serving • External DNS serving
• Even if your router fails, the from address is ambiguous
• Implications
• The previous note is not as safe as might be perceived, an attack on your link might be feasible.
Host C
Host D
Department A1 Firewall
Host C
Host D
Department A2 Firewall
Corporate Firewall
Implementing Firewalls & Proxy Servers Slide 40
Implementing Firewalls & Proxy Servers Slide 41
1998, Robert Gezelter, All Rights Reserved
Robert Gezelter
Robert Gezelter
Software Consultant
Software Consultant
NOTES
21
1998, Robert Gezelter, All Rights Reserved
Internal DNS
External DNS
• Final authority on nodes inside the firewall
• all internal mail targets are represented by MX records
• Uses firewall to resolve external DNS
• Internal nodes which are not to be addressed may be totally absent from the External DNS
Host C
Host D
Department A1 Firewall
Host C
Host D
Host C
Department A2 Firewall
Department A1 Firewall
Corporate Firewall
Implementing Firewalls & Proxy Servers Slide 42
Host D
Host C
Host D
Department A2 Firewall
Corporate Firewall
Implementing Firewalls & Proxy Servers Slide 43
1998, Robert Gezelter, All Rights Reserved
Robert Gezelter
Robert Gezelter
Software Consultant
Software Consultant
NOTES
22
1998, Robert Gezelter, All Rights Reserved
DNS Implications
Relationship Connectivity
• SMTP mail is forced to the route through the gateway
• RFC 1597 address can be used together with careful management to protect IP links with business and strategic partners
• FTP, TELNET, HTTP cannot even resolve the address of interior systems.
• Mutual distrust • "No Man’s" land
Host C
Host D
Department A1 Firewall
Host C
Host D
Host C
Department A2 Firewall
Department A1 Firewall
Corporate Firewall
Implementing Firewalls & Proxy Servers Slide 44
Host D
Host C
Host D
Department A2 Firewall
Corporate Firewall
Implementing Firewalls & Proxy Servers Slide 45
1998, Robert Gezelter, All Rights Reserved
Robert Gezelter
Robert Gezelter
Software Consultant
Software Consultant
NOTES
23
1998, Robert Gezelter, All Rights Reserved
Summary
Corporate Strategy
RFC 1597 provides and excellent framework for implementing an environment which enhances the safety support provided by your firewall(s)
• Keep things outside • Minimize Trust • Minimize Exposure • Minimize Firewall use • Public/Semipublic Outside • Nest Security/Access Domains • Parents AND Sibling Domains
Implementing Firewalls & Proxy Servers Slide 46
Implementing Firewalls & Proxy Servers Slide 47
1998, Robert Gezelter, All Rights Reserved
Robert Gezelter
Robert Gezelter
Software Consultant
Software Consultant
NOTES
24
1998, Robert Gezelter, All Rights Reserved
General Corporate Implementation
Virtual Private Networks • Use Encryption • Caution: Derived Trust
Host Computer A
Host Computer B
Host Computer C
• Efficient Solution • Ease of Use • Make it easy to be good
Bastion WWW Server
Implementing Firewalls & Proxy Servers Slide 48
FTP Server
Implementing Firewalls & Proxy Servers Slide 49
1998, Robert Gezelter, All Rights Reserved
Robert Gezelter
Robert Gezelter
Software Consultant
Software Consultant
NOTES
25
1998, Robert Gezelter, All Rights Reserved
Multi-level DNS
DHCP restrictions
• Keep inside invisible
• Within domain
• Mail headers
• Within physical department
• Fake Authorities
• DO NOT Proxy
• Ambiguities
• Point of attack • Availability issues
Implementing Firewalls & Proxy Servers Slide 50
Implementing Firewalls & Proxy Servers Slide 51
1998, Robert Gezelter, All Rights Reserved
Robert Gezelter
Robert Gezelter
Software Consultant
Software Consultant
NOTES
26
1998, Robert Gezelter, All Rights Reserved
Bibliography Hutt, Bosworth, Hoytt "The Computer Security Handbook, 3rd Edition/Updated", John Wiley & Son
Questions?
Internet RFCs
Robert Gezelter Software Consultant 35 – 20 167th Street, Suite 215 Flushing, New York 11358 – 1731 United States of America
Littman "The Fugitive Game" Little Brown Stoll, Clifford "The Cuckoo’s Egg"
Implementing Firewalls & Proxy Servers Slide 52
+1 718 463 1079
[email protected]
Implementing Firewalls & Proxy Servers Slide 53
1998, Robert Gezelter, All Rights Reserved
Robert Gezelter
Robert Gezelter
Software Consultant
Software Consultant
NOTES
27
1998, Robert Gezelter, All Rights Reserved
+1 718 463 1079 35 – 20 167th Street, Suite 215, Flushing, New York 11358 – 1731 USA