İnternet'te firewall güvenlik kavramı ve hizmetlere erişim denetimi

Abstract

Bu çalışmada Internet hizmetlerinden kaynaklanan güvenlik problemleri ele alınarak "firewall" güvenlik kavramı üzerine bir araştırma yapılmış ve hizmetlere erişimi denetleyen bir yazılım gerçeklenmiştir. Internet günümüzdeki en yaygın ve hızla gelişen bilgisayar ağıdır. Internet aracılığı ile insanlar bilgi hizmetlerine, yazılım arşivlerine erişebilir ve elektronik posta kullanarak haberleşebilirler. Her geçen gün kullanıcı sayısı artan Internet'te güvenlik en önemli konulardan biridir. Internet'te güvenlikle ilgili problemlerin bir bölümü hizmetlerden ve kullandıkları protokollerden kaynaklanmaktadır. Diğer problemler ise Internet' e bağlı bilgisayarların konfîgürasyonu ve erişim denetimlerinin zayıf ya da karmaşık olmasından kaynaklanmaktadır. Internet bağlantısı yolu ile gelebilecek saldırılara karşı verileri ve kaynaklan korumamn en etkin yolu "firewall" adı verilen mekanizmadır. Internet hizmetlerinin çoğu dahili kullanım amacı ile tasarlandığından güvenlik açısından değişik sorunları vardır. Bu sorunların çözümü, hizmetin türüne ve kullanılan protokole göre farklılık gösterir. "Firewall", dahili ağların güvenliğini arttırmakla birlikte Internet hizmetlerine erişime belirli ölçüde izin veren bir mekanizmadır. Mantıksal olarak "firewall" Internet ile dahili ağlar arasında bir ayraçtır. Internet ile dahili ağlar arasında kullanılabileceği gibi güvenlik önlemi bakımından farklılık gösteren dahili ağlar arasında da kullanılabilir. "Firewall" bileşenlerini ağ donanım elemanları ve uygun yazılımlar oluşturur. Örneğin, donanım elemanları olarak yönlendirici ve bilgisayar sistemleri, yazılım bileşenleri olarak paket filtreleme ve "proxy" sistemleri kullanılabilir. "Firewall", tüm dış trafiğin geçtiği bir düğüm noktası olarak düşünülebilir. Internet trafiği bu noktada denetlenir ve önceden belirlenen ve her kurum için farklı olabilen güvenlik önlemleri bu noktada uygulanır. Internet ile ilgili faaliyetlerin kayıtlarının tutulması da "firewall" tarafından sağlanan bir olanaktır. "Firewall", veriler ile ilgilenmediği için veri yolu üzerinden yapılan saldırılar için koruma sağlamaz. Dahili kullanıcılardan kaynaklanan güvenlik ihlallerine karşı ve dahili fiziksel güvenlik açısından da "firewall" bir koruma getiremez. Değişik güvenlik önlemleri gerektiren konaklar içeren bir bilgisayar ağında global bir yöntem olan "firewall" yerine konak bazında koruma uygulamak diğer bir çözümdür. Bu çalışmanın uygulama bölümünde konak bazında Internet hizmetlerine erişim denetimi ve hizmet sınırlaması getiren "accessd" isimli yazılım gerçeklenmiştir. "Accessd", Unix işletim sistemine sahip bilgisayarlarda "inetd" (Internet Super Server) gibi hizmetlerin merkezi bir sunucu aracılığı ile çalıştırıldığı sistemlerde kullanılabilir. Yazılımın iki temel işlevi : Internet hizmetlerine erişimin EP adreslere göre denetimi ve erişimine izin verilen hizmetlere sınırlama getirilmesidir.

The Internet is a world-wide "network of networks" that use TCP/IP (Transmission Control Protocol/Internet Protocol) protocol suite for communications. The Internet was created initially to help communication among government- sponsored researchers. Throughout the 1980' s the Internet grew to include educational institutions, commercial organizations and international organizations. Many organizations are now using the Internet or considering Internet access for a variety of purposes, including exchanging e-mail, distributing information to the public and conducting research. Internet connectivity can offer enormous advantages, however security needs to be major consideration when planning an Internet connection. Inherent problems with TCP/IP services, the complexity of host configuration, software bugs and a variety of other factors make unprepared sites open to intruder activity and security related problems. Firewall is an approach to security. It helps implement a larger security policy that defines the services and access to. be permitted. Firewall is an implementation of security policy in term of a network configuration. The main purpose of a firewall system is to control access to or from a protected network. We can summarize the primary benefits of using a firewall as follows: - A firewall can improve network security and reduce risks to hosts and the subnet by filtering insecure services. Firewall can also provide protection from routing based attacks, such as source routing. - A firewall provides the ability to control access to computer system. Some hosts can be made reachable from outside networks. A site could prevent outside access to its hosts except for special cases such as mail servers and information servers. - All traffic coming from the Internet or going out from internal network passes through the firewall. The firewall has the opportunity to accept or reject this traffic. In addition, firewall can log accesses and provide statistics about network usage. Vlll - Another advantage of firewall is all or most modified software could be located on the firewall systems instead of distributing them on many hosts. - A firewall enforces the site's security policy. Many of the services that people want from the Internet are inherently insecure. Firewall provides security by allowing only secure traffic. There are also a number of disadvantages and there are a number of things that firewall can not protect against. - A firewall can effectively control the traffic that passes through it; however there is nothing a firewall can do about traffic that doesn't pass through it. - Firewall is designed to prevent outsiders from obtaining sensitive data. Therefore it doesn't provide protection from insider threats. - A firewall use source/destination addresses and port numbers to determine whether a packet is allowed to pass through to the internal network. It can not deal with the data. For this reason, a firewall can not protect a site against data driven attacks and viruses. Firewall Components and Architectures Firewall Definitions: Firewall : A component or set of components that restricts access between a protected network and the Internet. Host : A computer system attached to a network. Bastion Host : A bastion host is main point of contact. Any outsiders must connect with to access a system or a service that is inside firewall. Because bastion host existence is known to the Internet it should be highly secured. Dual-homed host : A general-purpose computer system that has at least two network interfaces. Packet : A fundamental unit of communication on the Internet. Perimeter Network: A network added between a protected network and an external network, in order to provide an additional layer of security. IX Screening Router :A screening router is a basic component of most firewalls. Typical screening routers have the ability to block traffic between networks or specific hosts, on an IP port level. Firewall Architectures Dual Homed Host Architecture A dual-homed host architecture is built around the dual-homed host computer. Such a host could act as a router between the private network and the Internet. TCP/IP forwarding should be disabled on this system. Hosts on the private network can communicate with the gateway, as can hosts on the Internet. Direct traffic between the networks is disabled. Bastion Host I Internet j ' Figure 1 : A Typical Dual-Homed Host Architecture. Screened Host Architecture The most common firewall configuration is a screened host gateway. This is implemented using a screening router and a bastion host. Usually, the bastion host is on the private network that is reachable from the Internet. Often the screening router is configured to block traffic to the bastion host on specific ports. In this architecture, the primary security is provided by packet filtering. Traffic Blocked Bastion Host Figure 2: Screened Host Architecture. Screened Subnet Architecture In some firewall configurations, there is an isolated subnet using between the Internet and the private network. Typically, this network is isolated using screening routers. This router provides different level of packet filtering. Generally, a screened subnet is configured such that both the Internet and the private network have access to hosts on the screened subnet. Traffic across the screened subnet is blocked. In order to support interactive terminal session or application level gateways some configurations of screened subnet have a bastion host. Other Hosts Bastion Host Figure 3: Screened Subnet Architecture. Application Level Gateway (Proxy gateway-) A lot of programs on the Internet works in store-and-forward mode such as mailers. Application level gateways are service specific forwarders which usually operate in user mode rather than protocol level. Application level gateways deal with the insecure problems by avoiding user logins on the dual-homed host and by forcing connections through controlled software. Standard client software should modified in order to work with application level gateway. Access Control Software : "accessd" Different hosts in a network may require different level of security. Therefore, security issues in a given IP network should be considered in host-basis. Main purpose of this implementation is providing host-based access control to Internet services in a Unix environment. In this thesis an access control and network monitoring software (It is called as "accessd") is implemented. On a Unix machine, the usual approach for a service is to run one daemon process that waits for all kind of incoming network connections. Whenever a connection is established this daemon (usually called inetd) runs the appropriate server program and waits for other connections. In order to use accessd software as an access control mechanism, when a connection request arrives "accessd" must be XI started by inetd, instead of real server program, "accessd" checks the client host name or IP address, logs the name of the client host to a file and then runs the real server program. Features of "accessd" Access Control "Accessd" uses a text file (access, alio w) for access control. This file has zero or more lines of text. These lines are processed in order of appearance. The search terminates when a match is found. All lines in "access.allow" file should satisfy the following format: server_list : keyword : client_list server_list : serverjist is a list of one or more daemon process names. Each process name is in this list is seperated with "," character. ALL keyword can be used in this field to determine all services. keyword : ALLOW, DENY or USERNAME keywords can be used. ALLOW is used when we want to give access permission to clients in the client list. Otherwise DENY keyword is used. If USERNAME keyword is used, username information related with connection request is determined by using IDENT protocol. This protocol specification is described in RFC 1413. client_list : client_list is a list of one or more client host names or IP addresses. ALL keyword can also be used in this field. Client Username Lookup When the client host support the IDENT protocol, "accessd" program can retrieve additional information about the owner of a connection. Client username information is logged with the client host name. Username lookup is possible with TCP-based services and only when the client host runs a suitable daemon. Detecting Address Spoofing It is possible to change the IP address and host name information for TCP/IP applications. Some services use host name information for authentication such as remote shell service. The IDENT service can be used to detect such address spoofing attacks. Before accepting a client request, "accessd" can use the IDENT service. XII When the client host provides IDENT service, a negative IDENT lookup result is strong evidence of a host spoofing attacks. It is also possible to spoof both the client connection and the IDENT lookup. Logging Connections that are monitored by "accessd" are reported through the "syslog" facility. Each record contains a time stamp, the client host name and the name of requested service. This information can be useful to detect unwanted activities. Host Name Verification Some Internet services use host name information for authentication and they believe the host name they get from any random name server. "Accessd" verifies the client host name that is returned by the address to name DNS server (Domain Name System) lookup and addresses that are returned by the name to address DNS server lookup. Service Process Number Limitation After a connection request is granted, "accessd" can limit the number of service process for a specific host or a domain. "Accessd" use "hostlimit" text file for limitation. Each line of this file is include client host or domain IP address, Internet service port and number of server process information.