Lecture 19: Network Security


The Nature Of Attacks

Computer systems (hosts) connected to the Internet are subject to an almost constant barrage of security attacks. Most attacks have at least some of the following goals:


Internet Security

Most interest in security issues is in connecting to the Internet in a secure way. Recall:

[1] A successful buffer overrun attack requires extremely detailed knowledge of the vulnerable target system. However, many such exploits have been observed over the years. The famous "Morris Internet Worm" of 1988 was based (among other things) on a buffer overrun attack on sendmail, the Unix standard package for email delivery.


Firewall Security

A Firewall is a dedicated network box (usually implemented in the organisation's "gateway" router) situated between the Internet and an organisation's private network, thus:
Simple firewall structure
There are three classes of Firewall:
  1. Packet filtering firewalls
  2. Application gateways
  3. Circuit level gateways

Of these, the packet filtering type is the most common.

Because the firewall is not a general-purpose host, it does not itself run any vulnerable server processes.


Packet Filtering Firewalls

These only permit selected traffic to pass between the "inside" and "outside" networks.

The decision to forward a packet or to discard it is made by looking into its protocol headers, usually at either the IP source or destination address. The TCP or UDP port numbers in the packet can also be used.

TCP (and UDP) level filtering is more complex. and requires the firewall router to keep much more "state" information. For example, a particular site may allow outgoing TCP connections for some services (ie, port numbers), but prohibit most incoming TCP connections. This can be achieved by examining the ACK bit in the TCP header: it is cleared in the first connection request segment, and is set in all subsequent segments.

For example, the La Trobe University "gateway" router is configured to block outgoing port 80 (HTTP) connections, thus forcing Web users within the University to use the caching proxy server. At Nilai College, where this unit is also offered, outgoing HTTP (port 80) connections are permitted and most other services are blocked at the gateway router.


Packet Filtering Configuration

As an example of how access based on packet filtering can be configured, consider the approach taken in Cisco(tm) routers.

An access list is used to define permisible packet flows through the router. The general form of an access list entry is:

{ permit | deny } address [mask]
The entries have meaning thus:

permit | deny
indicates whether this entry allows or blocks traffic from the specified address.
address
gives the source IP address.
mask
this (optional) field is interpreted as a "bitmap" which defines the significance of each bit in the preceding address field. Every bit in the mask which has a "1" value indicates a "don't care" bit in the address, whereas every "0" bit indicates a bit in the address which must match exactly.

The access list for each interface can have many entries of the above form.

In addition, an access list can be specified to restrict either incoming or outgoing packets on the particular interface. Cisco's Extended ACLs are used for transport-layer (and other complex) filters.


More Complex Firewall Configurations

A more common structure nowadays uses a de-militarised zone (DMZ) between the internal LAN and the Internet, thus:
Firewall, DMZ and bastion host structure
Both of the routers in this diagram are configured as packet filtering firewalls.

The DMZ is also called a "stub network". Note that the DMZ is, of necessity, a separate subnet.

There are many options for the level of filtering in the routers, and for the functionality of the bastion host. These are examined in the next slides.


Application Gateways

In this configuration, the only system which has access to the outside Internet is the bastion host. In turn, the systems on the internal LAN (nowadays often referred to as the "Intranet") can only contact the bastion host, or gateway. Both of these conditions are configured using IP address-based packet filtering in the routers.

If users connected to the internal LANs wish to use the services of the outside Internet, they can (eg) telnet to the gateway, and then use standard tools running on it to access the rest of the Internet.

An example of such a structure is provided by an electronic mail gateway. Typically, a mail gateway in the DMZ receives messages addressed to an alias address, such as:

Phil.Scott@latrobe.edu.au
and delivers the message to an appropriate system and person within the organisation. The MX type in the DNS is used to support such mail gateway systems.


Circuit Level Gateways

These operate at the level of the TCP connection (or circuit). In effect, the application gateway transfers a copy of application-level data between the internal network and the outside Internet instead of the IP packets themselves.

Such a structure might be used where an internal host wishes to, for example, fetch a WWW page from a server in the external Internet. The client web browser establishes a connection to a server which is running on the gateway host. The gateway server in turn establishes a second connection to the actual WWW server on the external Internet, and passes the incoming HTML document back to the internal browser process. Such a server (running on the gateway, or bastion, host) is called a proxy.

One of the advantages of a proxy server is the caching of external web pages, thereby potentially reducing traffic on the connection to the outside Internet.


Real World Firewall Systems

Most installations combine both circuit level and application gateways, using the DMZ model of the previous slides. As mentioned, this implies the use of routers which can be configured to do packet filtering on IP addresses and/or TCP connections.

The bastion host normally runs, for example, the organisation's WWW server, its FTP server (if applicable) and any other public information services. It also usually acts as an email gateway. The WWW server usually is configured as a proxy for the hosts connected to the internal LANs (the Intranet). It may also perform a similar function for other services such as FTP.

This type of structure can be very effective, combining many of the best characteristics of all of the other types. However, the gateway system must usually be a general-purpose timeshared (and therefore Unix) system, which raises doubts about the safety and reliability of the proxy software processes. This is not a solved problem, for obvious reasons.

Although... Highly secure versions of Unix for just such applications are now said to be available.


Other Issues

Important undiscussed (and firewall related) issues in network security include:


If you are interested, there are various Firewall-related sites on the Web with much more information than can possibly be provided here.
La Trobe Uni Logo
Copyright 2004 by Philip Scott, La Trobe University.
Valid HTML 3.2!