12.10. ORDERED ACCESS CONTROL AND POLICY CONFLICTS |
483 |
separate operations, different orderings lead to different results. If authentication data are applied only after encryption, then they can be altered by a middle-man, leading to authentication spoofing (see section 12.4.5). Similarly, if encryption is applied after authentication, then the destination host can reroute data under false pretences.
The policy manager searches for the first network object that matches from the top of the list, and continues down through all the policy rules in turn, generating rule lists from the policy rules until all instances of that network object are added to the rule list. Therefore, rules appearing first can prevent subsequent rules from being enforced. For example, assume you create the following two policy rules:
Policy Rule 1:
src= host1 dest=host2 serv=all IP action=Permit and IPSec
Policy Rule 2:
src=network1 dest=network2 serv=all IP action=Permit
where host1 is assumed to be on network1 and host2 is on network2. Policy Rule 1 is a more specific rule; therefore, it should appear first in the Policy Rule table so that traffic from host1 to host2 is routed through an IPSec tunnel. If Policy Rule 2 appeared first, it would take precedence and non-tunneled IP traffic would be permitted from host1 to host2.
12.10 Ordered access control and policy conflicts
Access control lists are the basis of access control in most computer security systems. They are irreplaceable, and yet they have a basic flaw: they are order dependent.
Principle 65 (Conflicting rules). In any situation where conflicting rules can arise, the result will be sensitive to the order in which the rules are evaluated.
Example 19 (Ordering in list-based policies). List-based policy decisions are sensitive to ordering issues. Lists usually satisfy a ‘first match wins’ rule, or an ‘evaluate all rules in order’ rule.
If the ordering of two rules is reversed, valuable protection can be lost. An example of this was mentioned in section 12.4.5 for signing and encryption. Encryption is often a problem here, because it hides rules that might be evaluated, preventing any ‘corrective measures’ that might have been applied to eliminate conflicts. Consider three examples of IPSec security polices [124], where inconsistencies can lead to unfortunate and incorrect behavior.
Example 20 (IPSec 1). Consider a scenario between two domains (figure 12.2), one of which has a firewall and one of which has a gateway supporting IPSec security policies. The users of H1 are concerned about the privacy of data, so they arrange for the traffic to be encrypted.
484 |
CHAPTER 12. SECURITY IMPLEMENTATION |
FW1 |
SG2 |
H1 |
H2 |
Figure 12.2: IPSec configuration 1.
Using IPSec policy rules, an encrypted tunnel is built between H1 and the secure gateway SG2 in order to protect the traffic. However, the IPSec policy rules on the firewall are set by a different authority, and they can be specified so that encrypted packets can be denied access. If the firewall FW1 has such a rule, either intentionally or unintentionally, then all packets will be dropped and communication will be mysteriously impossible.
Example 21 (IPSec 2). Suppose that H1 is still trying to encrypt traffic to SG2, with the same tunnel rule. Suppose the firewall FW1 now has the rules:
Allow: source=H1, destination=H2
Deny: all others
However, since the encryption tunnel changes the destination to be SG2 in the outer encapsulation header, the firewall will mistakenly drop all traffic from H1 to H2 that should be allowed. Even though the traffic has the correct source and destination addresses, the overlapping rules cause problems.
In the following example, encryption plays a role in fixing a strong ordering of rules that can lead to unfortunate mis-communications.
Example 22. (IPSec 3). Consider two separate sites (figure 12.3), each with their own IPSec gateways (SG1 and SG2). Suppose that the administrator from department D1 who is in charge of SG1 decides that all traffic from D1 to site O2 should be encrypted by a tunnel from SG1 to SG3. In a different building, another administrator who controls SG2 decides that traffic from site O1 to site O2 should be encrypted through a tunnel from SG2 to SG4.
What happens now, when someone in department D1 attempts to send a message to someone in department D2? The traffic between the sites is now governed by two
|
ENC tunnel 1 |
SG1 |
SG3 |
D1 |
|
|
D2 |
|
ENC tunnel 2 |
SG4 |
|
|
SG2 |
||
|
|
||
|
|
|
|
O1 |
|
|
O2 |
|
|
|
Figure 12.3: IPSec configuration 2.
12.11. IP FILTERING FOR FIREWALLS |
485 |
policies that do not agree, and either tunnel could be chosen. Part of the journey is unencrypted, either in the first organization, or in the second.
If the administrator in D1 does not add a selector for traffic specifically to D2 (via SG4) that allows it to pass via SG2, then it could take the upper tunnel and be unencrypted within the second organization (between SG3 and SG4). If the communication is between an employee of organization O1 and the organization itself, this might be a breach of security.
On the other hand, if the rules are adjusted so as to direct traffic to the lower tunnel for all traffic destined for site O2, then there would be two overlapping rules to SG4 (from SG1 and SG2) and the traffic could pass by either one of two routes.
Suppose someone in department D1 now wishes to send data to a host outside of department D2. If the traffic takes the upper tunnel 1, there is no problem. However, if the traffic chooses the lower tunnel in the diagram, via a new tunnel between SG1 and SG2, then some strange effects can occur. With this configuration, traffic is encapsulated with a secure header from SG1 and then encapsulated by a new header from SG2 to send to SG4. When SG4 decrypts and removes the packaging, it finds that the destination is SG3, SG4 sends the traffic back to SG3 unencrypted, which finally delivers the packet to its actual destination.
SG1: (dest=H2)_SG4, send SG2
SG2: ((dest=H2)_SG4)_SG4, send SG4
SG4: (dest=H2), send SG3
SG3: send destination
Although the intention was to encrypt all the traffic, the traffic ends up passing from SG4 to SG3 unencrypted.
The problem over overlapping rules can thus lead to security problems, unless a careful site-wide management assures the‘ consistency of policy throughout. The alternative to using multiple encapsulation rules is use point-to-point encryption, but this has its own problems. All points along a route must be trusted to deny access to eavesdroppers. This is not enforceable.
12.11 IP filtering for firewalls
Filtering of TCP/IP data can be accomplished in numerous ways, both at routers and at the host level. Filters can exact access control on datagrams, where the attributes are, amongst other things,
•Source port
•Destination port (service type)
•Source IP address
•Destination IP address
•TCP protocol attributes (SYN/ACK).
486 |
CHAPTER 12. SECURITY IMPLEMENTATION |
A firewall blocks access at the network level. For instance, Cisco IOS rules:
ip access-group 100 in
access-list 100 |
permit |
tcp |
any host 128.39.74.16 eq http |
|
access-list |
100 |
permit |
tcp |
any host 128.39.74.16 eq smtp |
access-list |
100 |
deny |
ip |
any any |
Modern versions of operating systems can filter IP packets in the kernel too, giving hosts effectively a host-based firewall. For instance, Linux and FreeBSD have IP tables, formerly known as ‘IP chains’:
iptables -N newchain |
# new ACL/chain |
|
iptables -A newchain -p tcp -s 0/0 smtp -j ACCEPT |
# |
-s source address |
iptables -A newchain -p tcp -s 0/0 www -j ACCEPT |
|
|
iptables -A newchain -j DENY |
# |
all else |
The CIDR notation 0/0 is the same as 0.0.0.0 255.255.255.255, or any. A default policy for any packets that are not ACCEPTed is set as follows:
iptables -P INPUT DROP iptables -P OUTPUT DROP
Windows 2000 has corresponding ‘IPSec filters’ and the local security policy has an IP filter list.
12.12 Firewalls
A firewall is a network configuration which isolates some machines from the rest of the network. It is a gate-keeper which limits access to and from a network. Our human bodies are relatively immune to attack by bacteria and viruses because we have a barrier: skin. The skin contains layers of various fatty acids in which bacteria and viruses cannot normally survive. If we lose the skin from a part of the body, wounds become quickly infected; indeed, prior to antibiotics, many people died from infected wounds. A firewall is like a skin for a local area network.
The idea is this: if we could make a barrier between our local network and the Internet which is impenetrable, then we would be safe from network attacks. But if there is an impenetrable barrier so that no one can get into the network, then no one can get out either. Why pay for a firewall when we could just pull out the network cable? Think of the body again: we have to put food and air into our bodies and we have to let stuff out, so we need a hole in the skin (preferably several). We do not usually die of the food we eat because the body has filters which screen out and break down dangerous organisms (stomach acid and layers of mucus etc.). These then hand us the ‘input’ by proxy. We do the same thing with computer networks. A firewall is not an impenetrable barrier: it has holes in it with passport checks. We demand that only network data with appropriate credentials should be allowed to pass.
12.12.1A firewall concept
A firewall is a concept. It is not a thing; there is no single firewall solution. The name ‘firewall’ is a collective description for a variety of methods which restrict
12.12. FIREWALLS |
487 |
access to a network. They all involve placing restrictions on the way in which network packets are routed. A firewall might be a computer which is programmed to act like a router, or it might be a dedicated router or a combination of routers and software systems. The idea with a firewall is to keep important data behind a barrier which has some kind of passport-control and can examine and restrict network packets, allowing only ‘harmless’ packets to pass.
•All traffic from inside to outside or vice versa must pass through the firewall.
•Only authorized traffic is allowed to pass.
•Potentially risky network services (like mail) are rendered safer using intermediary systems.
•The firewall itself should be immune to attack.
A firewall cannot help with the following:
•Badly configured hosts or mis-configured networks.
•Data-based attacks (where the attack involves sending some harmful information, like the code word which makes you take your own life, or an E-mail which bolts a Trojan horse).
There are two firewall philosophies: block everything unless we make an explicit exception and pass everything unless we make a specific exception. The first of these is clearly the most secure or at least the more paranoid of the two.
Here are a few concepts which get bandied around in firewall-speak:
•Screening router or ‘choke’: A router which can be programmed to filter or reject packets directed at certain IP ports.
•Bastion host: A computer, specially modified to be secure but available.
•Dual-homed host: A computer with two net-cards, which can be used to link an isolated network to a larger network.
•Application gateway: A filter, usually run on a bastion host, which has the ability to reject or forward packets at a high level (i.e. at the application level).
•Screened subnet/DMZ: An isolated subnet, between the Internet and the private network. Also called a DMZ (de-militarized zone). A DMZ is the bit between a screening router and the firewall, bastion host. This is a good place for external WWW services.
The firewall philosophy builds on the idea that it is easier to secure one host (the bastion host) than it is to secure hundreds or thousands of hosts on a local network. One focuses on a single machine and ensures that it is the only one effectively coupled directly to the network. One forces all network traffic to stop at the bastion host, so if someone tries to attack the system by sending some kind of IP attack there can be little damage to the rest of the network because the private network will never see the attack. This is of course a simplification. It is important
12.12. FIREWALLS |
|
|
|
|
|
491 |
||||
|
|
|
|
|
|
|
|
|
|
|
|
Rule |
I/O |
Src |
Dest |
Proto |
Src |
Dest |
ACK |
Action |
|
|
|
|
addr |
addr |
|
port |
port |
set |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
spoof |
in |
intern |
any |
any |
any |
any |
any |
deny |
|
|
|
|
|
|
|
|
|
|
|
|
|
ssh1 |
in |
bastion |
intern |
TCP |
22 |
> 1023 |
yes |
permit |
|
|
ssh2 |
in |
bastion |
intern |
TCP |
> 1023 |
22 |
any |
permit |
|
|
ssh3 |
out |
intern |
bastion |
TCP |
> 1023 |
22 |
any |
permit |
|
|
ssh4 |
out |
intern |
bastion |
TCP |
22 |
> 1023 |
yes |
permit |
|
|
|
|
|
|
|
|
|
|
|
|
|
ftp1 |
out |
intern |
bastion |
TCP |
> 1023 |
21 |
any |
permit |
|
|
ftp2 |
in |
bastion |
intern |
TCP |
21 |
> 1023 |
yes |
permit |
|
|
ftp3 |
in |
bastion |
intern |
TCP |
20 |
> 1023 |
any |
permit |
|
|
ftp4 |
out |
intern |
bastion |
TCP |
> 1023 |
20 |
yes |
permit |
|
|
|
|
|
|
|
|
|
|
|
|
|
smtp1 |
out |
intern |
bastion |
TCP |
> 1023 |
25 |
any |
permit |
|
|
smtp2 |
in |
bastion |
smtphost |
TCP |
25 |
> 1023 |
any |
permit |
|
|
smtp3 |
out |
smtphost |
bastion |
TCP |
25 |
> 1023 |
yes |
permit |
|
|
smtpX |
in |
bastion |
intern |
TCP |
25 |
> 1023 |
yes |
permit |
|
|
|
|
|
|
|
|
|
|
|
|
|
http1 |
out |
intern |
bastion |
TCP |
> 1023 |
80 |
any |
permit |
|
|
http2 |
in |
bastion |
intern |
TCP |
80 |
> 1023 |
yes |
permit |
|
|
|
|
|
|
|
|
|
|
|
|
|
dns1 |
out |
dnshost |
bastion |
UDP |
53 |
53 |
N/A |
permit |
|
|
dns2 |
in |
bastion |
dnshost |
UDP |
53 |
53 |
N/A |
permit |
|
|
dns3 |
out |
dnshost |
bastion |
TCP |
> 1023 |
53 |
any |
permit |
|
|
dns4 |
in |
bastion |
dnshost |
TCP |
53 |
> 1023 |
yes |
permit |
|
|
dns5 |
in |
bastion |
dnshost |
TCP |
> 1023 |
53 |
any |
permit |
|
|
dns6 |
out |
dnshost |
bastion |
TCP |
53 |
> 1023 |
yes |
permit |
|
|
|
|
|
|
|
|
|
|
|
|
|
default1 |
out |
any |
any |
any |
any |
any |
any |
deny |
|
|
default1 |
in |
any |
any |
any |
any |
any |
any |
deny |
|
|
|
|
|
|
|
|
|
|
|
|
Table 12.1: Internal router filter table. Incoming ssh traffic is allowed from the bastion host ssh proxy to the internal hosts, but not to the DMZ. Outgoing traffic is channeled through the bastion host proxy, which avoids the origin IP address being seen by outsiders. FTP, HTTP and SMTP traffic is allowed between the respective server-hosts and the bastion hosts proxies. Note how WWW and FTP servers are special ‘sacrificial lamb’ hosts in the DMZ, with data backed up on internal hosts. Note that FTP uses two channels, a transmission channel and a control channel on ports 20 and 21. An SMTP mail hub is used. DNS MX records should be set to point to the bastion host proxy. DNS filters are slightly complex, since the DNS services uses both UDP for lookup and TCP for bulk transfer and forwarding.