* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Defense Techniques
Computer security wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Wireless security wikipedia , lookup
Multiprotocol Label Switching wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
Computer network wikipedia , lookup
TCP congestion control wikipedia , lookup
Airborne Networking wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Network tap wikipedia , lookup
Internet protocol suite wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Real-Time Messaging Protocol wikipedia , lookup
Packet switching wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Defense Techniques Sepehr Sadra Tehran Co. Ltd. Ali Shayan November 2008 Overview • Firewalls – General Overview – Packet Filter, – Circuit-Level Gateway, Application Gateway – Stateful-Inspection – Firewalking 2 Firewall • Local network is trusted • „Outside“ is potentially malicious • Unprotected network – security is implemented on each host – single vulnerable host would violate whole network security – administrative nightmare • Protected network – place barrier at the borders of trusted, inside network – barrier provides access control – helps with system monitoring and simplifies management such a barrier is called firewall 3 Firewall • Not the ultimate solution – – – – cannot deal satisfatorily with content vulnerable to inside attacks and covert channels potential performance bottlenecks when compromised, network is unprotected • Security Strategies – least privilege • only permissions that are necessary should be granted – defense in depth • additional security installations should be present – fail-safe • a failing firewall may not reduce security 4 Packet Filter • Packet filters route packets between internal and external hosts • Do it selectively – perform filtering – allow or block certain types of packets • Screening procedure is based on – – – – – Protocol (whether the packet is a TCP, UDP, or ICMP packet) IP source/destination address TCP or UDP source/destination port TCP flags ICMP message type • Inbound and outbound interfaces may be used to specify rules 5 Packet Filter • Filtering Rules - filtering is specified using a set of rules • Each rules specifies – – – – action (allow, deny) source address/port pattern destination address/port pattern presence or absence of flags • When a packet is received the rules are applied in an ordered sequence – if a rule matches the corresponding action is taken – if no rule matches, a default action is taken 6 Packet Filter • Might be vulnerable to spoofing – only filter packets coming from outside • Fragmented Datagrams – discarded when not enough information to apply filter – when first fragment contains enough information, remaining one are passed unchecked – potential vulnerability • first fragment with innocent values • other fragments with non-zero offset rewrite these values with malicious ones • reassembled fragment is delivered to protected service 7 Packet Filter • Advantages – easy to implement (relies on existing hardware) – good performance Limits – – – – limited auditing difficult to configure not very flexible, extensible can be bypassed by “tunneling information” • FreeBSD - ipfw, ipf • Linux – iptables, ipchains 8 Gateway • A gateway is a host with two (or more) network interfaces – (usually) operating system is configured so that IP forwarding is disabled – Traffic can pass across the gateway only if there is an application that explicitly operates the transfer (proxy) • Proxy Service – application that acts as an intermediary between client within the protected network and server in the outside world and vice versa – when a client requests a connection to the outside, it actually connects to the proxy – proxy examines the connection request with respect to security policy – and possibly opens the actual connection to the server on behalf of the client 9 Circuit-Level Gateway • Not only checks packets, but sessions / connections - TCP handshaking • Transparently exchange data • Do not need to be aware of the protocol • Can not perform application-level filtering 10 Application Gateway • Application-level gateways interpret the particular application protocol being “proxied” – – – – e.g. HTTP / FTP need to know the application protocol details need a different proxy for each protocol can perform advanced filtering (e.g. on particular commands) • Advantages – cheap – extensive logging possible – very secure – internal network invisible • Limits – scalability, performance bottleneck 11 Stateful Inspection • acts as a packet filter, circuite-level and application-level gateway • but accesses higher-level protocol information – allows to track sessions (e.g. ftp) – virtual sessions for connection-less protocols (e.g. UDP) • firewall stores ports used in a particular UDP transaction • temporarily creates an exception to let the answer pass through • Cisco PIX, Check Poin Firewall 1 , Sepehr 4100,3400 12 De-Militarized Zone • DMZ – de-militarized zone – network area between two packet filters • external filter only allows traffic from outside • internal filter only allows traffic from inside – separates external and internal network – contains hosts that provide • external services (e.g. webserver, DNS) and • application gateways for internal clients – when hosts are compromised • internal traffic cannot be sniffed • protection from internal packet filter 13 Firewalking • Technique used to test the rules of a firewall without triggering inside IDS • Tools available at http://www.packetfactory.net/Projects/Firewalk/ • Based on similar mechanism as used by traceroute – – – – firewall at hop n host at hop n+m TTL set to n+1 If a TTL expired message is received the firewall didn’t filter the packet • Scan of firewall ACLs performed without triggering inside logging mechanisms 14 References • [1]National Institute of Sdandards and Technology, Guidelines on Firewalls and Firewall Policy , NIST SP 800-42, 2002. • [2] Sepehr S. T. Co. LTD, Sepehr Firewalls, October 2008. • [3] D. Brent Chapman & Elizabeth D. Zwicky, Building Internet Firewalls, O.Reilly, 2nd Edition, 2000. 15