Tải bản đầy đủ - 0 (trang)
Chapter 14. Going Beyond Basic Firewall Features

Chapter 14. Going Beyond Basic Firewall Features

Tải bản đầy đủ - 0trang

ContentFiltering

Manyenterprisesarebeginningtoconcernthemselveswiththe

useofthecorporateInternetconnectionbytheiremployees.

Theunmanagedaccesstoinappropriateordistractingweb

contentcaninvolvesignificantlegalriskandmaywell

jeopardizenetworksecurity.Additionally,unmanagedaccessto

webcontenttypicallyresultsinsignificantreductionof

employeeproductivity.Theseissuescannotbeeasilyignoredby

manycompanies.

Oneofthenewerfeaturesbeingrequiredoffirewallsisthe

capabilityoffilteringthecontentthatpassesthroughthem.This

filteringtypicallyisdefinedasURLfiltering,wherebythefirewall

isusedeitherbyitselforinconjunctionwithanotherappliance

orsoftwaresuitetocontrolwhichwebsitesusersareallowedto

visit.However,giventhatwebcontentcanrangefromthe

simpletothecomplex,firewallstypicallyoffloadthedetailed

evaluationanddecisionmakingtootherdevices,whichisan

excellentexampleofthelimitationsofafirewallbeinga

selfcontainedcontentfilteringdevice.Rather,thefirewall

becomesacontrolpointwherethedecisionmadebythe

evaluationdevice(whetheritisacontentengineorafiltering

softwaresuite)isappliedtousertraffic.



ImplementingaURLFilter

ImplementingURLfiltersisrelativelystraightforward.Thereare

twotypicalwaystoimplementaURLfilter.Thefirstisto

maintainalistofURLsthatwillbeblockedonthefirewall,

typicallyintheformatofanaccesscontrollist(ACL).Thiscan

beatimeconsumingprocessforboththeimplementationand

maintenanceoftheURLlist.Additionally,becauseACLsare

typicallystoredinaflatfileformat,thefirewallcanbe



subjectedtolatencyinpermittingordenyingtrafficwhilea

largeACLisbeingprocessed.

Thesecondmethodistoutilizeathirdpartycontentfiltering

applicationrunningonaseparateserverfromthefirewalloron

acontentenginethatisseparatefromthefirewalltohandlethe

actualbuilding,maintaining,andconfiguringoftheURLfilter

list.Aspreviouslymentioned,thisallowsthefirewalltooffload

theprocessingandevaluationoftraffictothecontentfiltering

device,whichenablesthefirewalltodowhatitdoesbest,to

serveasacontrolpointfortraffic,blockingcontentasdefined

bythecontentfilteringdevice.Becausethisisthemostefficient

andeffectivewaytoperformcontentfilteringwithmost

firewalls,thisisthesituationthatwedetailinthischapter.

Formostfirewallstobeabletoblockspecificcontent,they

musthaveaccesstoadatabasethatcontainsalistofURLsthat

areprohibited;wheneverauseropensaconnectiontooneof

thesesites,thefirewallblockstheconnection.Giventhatthe

listcanbequiteextensiveandthattheenterprise's

managementmaywanttodenyaccesstositesthatare

consideredwastefulintermsoftime,manyhigherendfirewalls

providefortheuseofanexternalURLdatabasesystemthat

candecidewhethertheconnectionshouldbepermitted.Thusa

specializeddeviceforexample,acontentengineora

contentfilteringserverperformsalltheprocessingofthetraffic,

whichinturnallowsthefirewalltojustprovidethenecessary

enforcementbyeitherpermittingordenyingthetrafficas

determinedbythecontentfilteringsystem.

TheCiscoPIXFirewallcanworkinconjunctionwithtwo

webfilteringsoftwaresuites:WebSenseandN2H2.



Note

In2003,SecureComputingacquiredN2H2and

integratedtheN2H2filteringsoftwareintotheir

SmartFilterproduct.TheCiscodocumentationand



commandsyntaxstillreferstoN2H2,however,and

forthesakeofsimplicitythisbookusestheterm

N2H2torefertobothproducts,becausethe

configurationforeitherisexactlythesame.



ToconfigurethePIXtoenforceURLfiltering,theadministrator

needstofirstconfigurethePIXtoworkwiththeURLfiltering

softwaresuitebyconfiguringthePIXwiththeIPaddressofthe

filteringserver.ForaWebSenseserver,thecommandisas

follows:



[Viewfullwidth]



gandalf(config)#url-server(inside)vendorwebsensehost172.2

version1



YoucanspecifyeitherTCPorUDPfortheprotocol(TCPis

recommended)aswellasVersion1orVersion4.Thedefaultfor

TCPisVersion1,whereasUDPonlysupportsVersion4.Foran

N2H2server,thecommandisasfollows:



gandalf(config)#url-server(inside)vendorn2h2host172.28.23



ForN2H2,youcandefinetheportandprotocoltouse.The

defaultvaluesareport4005andprotocolTCP.

Afteryouhaveidentifiedthefilteringserveranddefinedhow

thefirewallshouldconnecttothefilteringserver,thenextstep

istoconfigurethePIXfirewalltoactuallyfilterURLtrafficby

runningthefollowingcommand:



gandalf(config)#filterurlhttp0000



Inthiscase,thePIXfirewallwillfilteralltrafficthatpasses

throughthefirewall.Youcanalsoconfigurethefirewalltofilter

onlyspecificsubnets.Forexample,ifyouwanttofiltertraffic

fromnetwork172.28.238.0/24toanynetwork,yourunthe

followingcommand:



gandalf(config)#filterurlhttp172.28.238.0255.255.255.00.0



WhenthePIXseestheoutboundconnection,itdoesnotallow

thereturntrafficfromthewebserverbacktotheclientuntilit

hasreceivedaresponsefromtheURLfilteringserver.Whenthe

filteringserverapprovestheconnection,thePIXallowsthe

connectiontocompletebacktotheclient.Ifthefilteringserver

deniestherequest,theuserisredirectedtoablockpage

indicatingthataccesswasdeniedandpossiblythereasonitwas

denied.Figure14-1showsthisfiltering.



Figure14-1.URLFilteringwiththeCiscoPIX

Firewall



[Viewfullsizeimage]



ThefollowingisadescriptionoftheprocessinFigure14-1:

1. Theclientsendstheinitialconnectiontothewebserver,

whichrepliesbackasexpected.Thisreplyisheldatthe

firewall,however,untilafilteringdeterminationhasbeen

made.

2. Atthesametime,thefirewallconnectstothefiltering

serverusingconnection2toquerythefilteringserverabout

whetherthetrafficshouldbepermitted.

3. Thefilteringserverrepliestothefirewallwithwhetherthe

trafficshouldbepermittedordenied.

4. IfthefilteringserverapprovestheURL,itnotifiesthePIX

firewall,andthefirewallallowsthereturntraffictoreach

theclientsystem.IfthefilteringserverdeniestheURL,it

notifiedthePIXfirewall,andthefirewalldropsthereturn

traffic,preventingitfromreachingtheclient.



MaintainingURLFilters

OneofthebiggestproblemswithURLfilteringisthe

maintenancerequiredoftheURLdatabase.Tohelpnetwork

administratorsmaintaintheirURLfiltersandkeepthemasupto-dateaspossible,manyvendorsturntoasubscriptionservice

wherebythefilteringserverattheclientsiteconnectstoaweb

serveratthevendor'slocationanddownloadsadatabaseof

URLswithdefaultsettingsassociatedwitheachURL.This

serviceconvenientlyallowsadministratortokeeprelatively

currentwithnewsitesthattheywanttoblockassoonas

possible.Additionally,administratorscanconfigurethesystem

toautomaticallydownloadnewURLdatabasesperiodically.



Theonlydifficultypresentedbythesesystemsisthattheyrely

onathird-partyvendortodeterminewhetheraURListobe

includedinthedatabase.Insomecases,thisreliancecanlead

totheblockingoflegitimatewebsitesthatwouldnotnecessarily

fallintothecategoryofinappropriateduringbusinesshoursor

asawasteofemployeetime.Additionally,someURLlistsmay

includeonewebsitebutcompletelyneglectthemirrorlocatedin

anothercountry.Administratorsshouldusecautionwhen

decidingwhatcategoryofURLstoblockandwhattoallow

through.



WhattoDoIf...

ManyofthemorepowerfulURL-filteringsoftwaresystemssuch

asWebSenseandN2H2providedetailedreportsofwhichuser

wenttoaparticularURLorsetofURLs.Theproblem,whichis

reallyahumanresourcesissue,thenbecomeswhattodowhen

ausercontinuouslyviolatesthewebpolicyasspecifiedinthe

corporatenetworksecuritypolicy.Networkadministrationstaff

shouldnothavetodealwiththeproblem;instead,thatstaff

shouldprovidehumanresourceswiththenecessaryinformation

tomakeaninformeddecision.



PerformingApplicationFiltering

Applicationfilteringisoneofthemostdifficulttypesoffiltering

thatfirewallsperform,becauseitrequiresthefirewallto

processthedataattheapplicationlayer(Layer7)oftheOSI

model.Applicationfilteringisoneofthetwoprimary

componentsofanapplicationproxyfirewall,theotherbeingthe

proxyfunctionalityprovidedbythefirewall.Chapter2,"Firewall

Basics,"andChapter8,"ApplicationProxyFirewalls,"discuss

applicationproxyfirewallsinmoredetail.

Thepurposeofapplicationfilteringistoenforceaspecific

securitypolicyonvariousservicesprovidedthroughthefirewall.

Whereasnetworkfirewallsenforcepolicy-basedoninformation

betweenLayers3and4,anapplicationfirewallgoesfurther.

Considerthatanattackercancompromiseawebserverbehind

afirewallbyattackingthroughthewebservice.Attackssuchas

StructuredQueryLanguage(SQL)injection,cross-sitescripting,

andvirusesandwormsrepresentsignificantproblemsbecause

theyattacktheendhostthroughthespecificportthatis

requiredtobeopeninthenetworkfirewall.Tosolvethis

problem,manyvendorsandsomeopensourceeffortshave

developedfirewallsthatcaninspectthedatapayloadofthe

packetspassingthroughthefirewallanddeterminewhether

theyviolatethesecuritypolicyoftheendhost.Iftheydo

violatethepolicy,thesedevicescanpreventtheattacksfrom

affectingthetargetsystem.



ApplicationsThatAreHardtoFirewall

Thedifficultywithapplicationfirewallsstemsfromthefactthat

thetransactionbetweentheclientandtheserveriscomplex

andcanbemademoresoiftheprotocolorthedatainthe

communicationexpandsorincreasesthecomplexityofthe



transaction.ProtocolssuchaseXtensibleMarkupLanguage

(XML)andSimpleObjectAccessProtocol(SOAP)makeweb

applicationfirewallsespeciallytricky.Toprovideproperweb

applicationsecurity,theapplicationfirewallmusthavea

detailedunderstandingoflegitimatetransactions,includingthe

useofURLs;differentHTTPmethodssuchasGET(retrieving

datafromawebserver),POST(transmittingdatatoaweb

server),andotherHTTPmethods;sessionIDsandsession

cookies;XMLandSOAPschemas;SQLqueries;andmuch

more.

Manyvendorshavefocusedondevelopingwebapplication

firewallsbecauseofthewidearrayofdifficultiesfacedin

providingsecuritytosuchaubiquitousprotocolasHTTP.Other

applicationsthatuseprotocolssuchasSimpleMailTransport

Protocol(SMTP)andSecureShell(SSH)alsorequiresignificant

filteringtopreventanattackerfromcompromisingaservice

thatisopeninanetworkfirewall.



WebApplications(XML,SOAP,WSDL,CGI)

Considerwebapplications.Theseapplicationsmayuseawide

varietyofprotocolsfromsimpleHTMLtoXMLtoWebService

DefinitionLanguage(WSDL)andawholerangeofCommon

GatewayInterface(CGI)programs.Manyendusersbelievethat

thesimplesolutiontowebsecurityisSecureSocketsLayer

(SSL).Whentheywantto"secure"theirwebapplication,they

simplyuseanSSL-capablewebserverandrestrictthetrafficto

TCPport443.However,thisbeliefiscertainlyamisconception.

Anattackerneedhaveaccessonlytothewebserverportto

attacktheapplicationrunningontheserver,notthewebserver

itself.InthecaseofSSL,itjustmeansthattheattackhappens

tobeencrypted,becausetheapplication(thewebserver

software)iswhatisbeingattacked.Howcanthisbe?An

exampleillustratesthispoint.



AnattackerfindsawebserverrunningontheInternetwitha

particularapplication.TheserverisonlyaccessiblethroughTCP

port443(HTTPS).Example14-1showsusingTelnettoaccessa

serveronTCPport443(HTTPS).



Example14-1.UsingTelnettoAccessaServeron

TCPPort443(HTTPS)



4$telnet10.16.17.223443

Trying10.16.17.223...

Connectedto10.16.17.223.

Escapecharacteris'^]'.

GET/HTTP/1.0





400BadRequest



BadRequest



Yourbrowsersentarequestthatthisservercouldnotunderstand.


Reason:You'respeakingplainHTTPtoanSSL-enabledserverport.


InsteadusetheHTTPSschemetoaccessthisURL,please.


Hint:https://

www.innocentvictimcompany.com/






Apache/2.0.52(Unix)mod_ssl/2.0.52OpenSSL/0.9.7dDAV/2PHP/4.3.9Serverat

www.innocentvictimcompany.comPort443




Connectionto10.16.17.223closedbyforeignhost.



Asimpleconnectionisclearlynotunderstoodbytheserver.To

getaroundthis,theattackerusesOpenSSL,asshownin

Example14-2.



Example14-2.OpenSSL



3$openssls_client-connect10.16.17.223:443

CONNECTED(00000003)

depth=0/C=US/ST=Maryland/L=SilverSpring/O=dubrawsky.org/OU=IT/CN=IdoDubrawsky/

emailAddress=idubraws@dubrawsky.org



verifyerror:num=18:selfsignedcertificate

verifyreturn:1

depth=0/C=US/ST=Maryland/L=SilverSpring/O=dubrawsky.org/OU=IT/CN=IdoDubrawsky/

emailAddress=idubraws@dubrawsky.org

verifyerror:num=10:certificatehasexpired

notAfter=Oct601:35:002005GMT

verifyreturn:1

depth=0/C=US/ST=Maryland/L=SilverSpring/O=dubrawsky.org/OU=IT/CN=IdoDubrawsky/

emailAddress=idubraws@dubrawsky.org

notAfter=Oct601:35:002005GMT

verifyreturn:1

--Certificatechain

0s:/C=US/ST=Maryland/L=SilverSpring/O=dubrawsky.org/OU=IT/CN=IdoDubrawsky/

emailAddress=idubraws@dubrawsky.org

i:/C=US/ST=Maryland/L=SilverSpring/O=dubrawsky.org/OU=IT/CN=IdoDubrawsky/

emailAddress=idubraws@dubrawsky.org

--Servercertificate

-----BEGINCERTIFICATE----MIICqTCCAhICAQAwDQYJKoZIhvcNAQEEBQAwgZwxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNYXJ5bGFuZDEWMBQG

A1UEBxMNU2lsdmVyIFNwcmluZzEWMBQGA1UEChMNZHVicmF3c2t5Lm9yZzELMAkGA1UECxMCSVQxFjAUBgNVBAM

TDUlkbyBEdWJyYXdza3kxJTAjBgkqhkiG9w0BCQEWFmlkdWJyYXdzQGR1YnJhd3NreS5vcmcwHhcNMDQxMDA2MD

EzNTAwWhcNMDUxMDA2MDEzNTAwWjCBnDELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE1hcnlsYW5kMRYwFAYDVQQHE

w1TaWx2ZXIgU3ByaW5nMRYwFAYDVQQKEw1kdWJyYXdza3kub3JnMQswCQYDVQQLEwJJVDEWMBQGA1UEAxMNSWRv

IER1YnJhd3NreTElMCMGCSqGSIb3DQEJARYWaWR1YnJhd3NAZHVicmF3c2t5Lm9yZzCBnzANBgkqhkiG9w0BAQE

FAAOBjQAwgYkCgYEAwpCwIAhfnPvq9Q+2Y+CuPZoaKMROeUbEV8GcPlFfJOCrR0CwcQIsGfZVQvgUPVNoBiRavu

9amk4tV6l1bJHZlgRD5bk0tmYRTdvjFUyXPJrcGk493vpqUqYKYX4Nhz7UIm9JIbJ1SlSo5XhW47rS5QRDrfKVL

PHK4viuX7C56JsCAwEAATANBgkqhkiG9w0BAQQFAAOBgQC4huUgw9ahmLYLPiuBqrGfSbov1OfeIVB83SJQiUlY

vzVaL/ANaAzcGcPQTobJJ9mgbnCU0C5y1khsX+Y060Ji/

afJPOKSJu45WKXUw87Dty93Baj4+pTzS0Cyh+0dB6t89dpUnq3AABSCclsmCb2J//5OEdA2ESnOedpHULQKWQ==

-----ENDCERTIFICATE----subject=/C=US/ST=Maryland/L=SilverSpring/O=dubrawsky.org/OU=IT/CN=IdoDubrawsky/

emailAddress=idubraws@dubrawsky.org

issuer=/C=US/ST=Maryland/L=SilverSpring/O=dubrawsky.org/OU=IT/CN=IdoDubrawsky/

emailAddress=idubraws@dubrawsky.org

--NoclientcertificateCAnamessent

--SSLhandshakehasread1249bytesandwritten346bytes

--New,TLSv1/SSLv3,CipherisDHE-RSA-AES256-SHA

Serverpublickeyis1024bit

SSL-Session:

Protocol:TLSv1

Cipher:DHE-RSA-AES256-SHA

Session-ID:E6F3E3D7B5CCBBFF64C00930A0EE9D056F82ED55F483E0682215EF37342D37EE

Session-ID-ctx:

Master-Key:

DCE5F0E40DAB7ADF26EEA55A17DAA0E722213B64F229A81ED0CD2E2207CD9D34A9650D4737AAF33855FD946

2E7E3B5A7

Key-Arg:None

StartTime:1133540279

Timeout:300(sec)

Verifyreturncode:10(certificatehasexpired)

---



HEAD/HTTP/1.0

HTTP/1.1401AuthorizationRequired

Date:Fri,02Dec200516:23:50GMT

Server:Apache/2.0.52(Unix)mod_ssl/2.0.52OpenSSL/0.9.7dDAV/2PHP/4.3.9

WWW-Authenticate:Basicrealm="SnortIDSACID"

Connection:close

Content-Type:text/html;charset=iso-8859-1

Closed



Asyoucansee,theattackercangetmoreinformationfromthe

serverthistimeusingOpenSSL.Torunawebscanneragainst

anSSL-enabledserver,theattackerneedonlysetupanSSL

tunneltotheserverandthenscanthroughthattunnel.The

attackercaneasilydosobyusingtheopensourceutility

Stunnel.

Thisscenarioiswherewebapplicationfirewallswork.The

precisemethodsofblockingapplicationsdifferfromfirewallto

firewallandapplicationtoapplication.However,byinspecting

thetrafficmoredeeplythananetworkfirewallandbyapplying

specific,defined(typicallybythefirewallorsecurity

administratororbythevendorthatprovidestheapplication

filteringcapabilities)securitypoliciestothattraffic,the

applicationfirewallcanidentifyattacksandpreventthembefore

theyeverreachtheserver.Thisinspectionrequiresintimate

knowledgeoftheprotocolbeingused(XML,SOAP,WSDL,and

soon)aswellasthecapabilitytoidentifyattackstrings.If,as

inthewebserverexample,theserverrequiresauthentication

usingausernameandpasswordcombination,butthe

programmerdidnotbothertochecktomakesurethelengthof

theusernameorpassworddidnotexceedaspecificvalue,an

attackercantrytooverflowavalueintheapplicationby

sendingalargestringofcharacterstotheCGI:



perl-e'print"GET/cgi-bin/login?user=ido&password=","A"x2050,



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 14. Going Beyond Basic Firewall Features

Tải bản đầy đủ ngay(0 tr)

×