Download NetworkSecurity

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
page
55
page
56
page
57
page
58
page
59
page
60
page
61
page
62
page
63
page
64
page
65
page
66
page
67
page
68
page
69
page
70
page
71
page
72
page
73
page
74
page
75
page
76
page
77
page
78
Document related concepts

RapidIO wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Wireless security wikipedia , lookup

Deep packet inspection wikipedia , lookup

Internet protocol suite wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

TCP congestion control wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Computer security wikipedia , lookup

Distributed firewall wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript 
CSC 382: Computer Security
Network Security
CSC 382: Computer Security
Slide #1
Network Security
1.
2.
3.
4.
5.
6.
7.
8.
9.
ARP Spoofing
IP Spoofing
TCP and UDP Spoofing
Packet Fragmentation
Denial of Service Attacks
IPv6 Security Changes
Ping Scanning
Port Scanning
Backdoors
CSC 382: Computer Security
Slide #2
ARP Spoofing
ARP Spoofing/Cache Poisoning:
– Send spoofed MAC address in response to sender’s
ARP request
• Sender will cache response
– May need to stop response from correct host
Man-in-the-Middle Attack
– Send your MAC address in response to both Alice’s and
Bob’s ARP responses
– Intercept and forward all traffic
Tools: ettercap, parasite
CSC 382: Computer Security
Slide #3
ARP Spoofing Defences
Enable switch MAC binding
– MAC address for a port is set once
Create static ARP table for local LAN
Arpwatch
– Builds table of IP/MAC bindings for LAN
– Sends notifications of any changes
CSC 382: Computer Security
Slide #4
IP Spoofing
Forging IP address of packets
– Spoofer must bypass TCP/IP stack by writing
data directly to data link layer (raw sockets.)
Attacks
–
–
–
–
–
Conceal identity of attacker.
Misidentification: finger another IP as attacker.
Feints: hide attack in flood of forged packets.
Authentication: bypass IP-based ACLs.
Denial of Service
CSC 382: Computer Security
Slide #5
Non-blind Spoofing
Spoofing on a network which you can sniff:
– local network
– compromised network
– redirected traffic via ARP spoofing
Easier to attack
– Can see responses
– Can see TCP sequence numbers
CSC 382: Computer Security
Slide #6
Blind Attacks
Attacker A sends packets to victim host V
using spoofed IP address of trusted host T.
– V will send responses to T.
– T will discard responses as replies to packets
that it never send.
– A cannot see any of the reply packets.
– A must be able to ignore or predict responses.
CSC 382: Computer Security
Slide #7
IP Spoofing Defences
Packet filtering gateway
– Disallow incoming packets with source IPs that
belong to your internal networks.
– Drop source routed packets.
ISP packet filtering
– Disallow outgoing packets with source IPs that
don’t belong to ISP.
– Drop source routed packets.
CSC 382: Computer Security
Slide #8
TCP Spoofing
1.
2.
3.
4.
Select trusted host to impersonate.
Guess TCP ISN of victim host.
Use a DOS attack to silence trusted host.
Send SYN packet to victim host with
spoofed IP address of trusted host.
5. Trusted host can’t respond to SYN+ACK.
6. Send ACK packet to victim host with
spoofed IP address and guessed ISN+1.
CSC 382: Computer Security
Slide #9
Session Hijacking Attack
rlogin can be configured to allow access
from an IP address without password
~/.rhosts or /etc/hosts.equiv
Plan of Attack
Hijack telnet connection from V to T.
Send target host T commands
echo “+ + >>~/.rhosts”
Use rlogin to access account without password.
CSC 382: Computer Security
Slide #10
TCP Defences
Random ISNs
– If attacker can’t guess sequence numbers of a
connection, session can’t be hijacked.
– Adding a random number to previous ISN insufficient.
– Some “random” schemes can be statistically attacked.
Cryptographically Secure Protocols
– Connections reject packets that aren’t correctly
encrypted as part of the application stream.
– Example: ssh, Kerberized telnet
CSC 382: Computer Security
Slide #11
Packet Fragmentation
Occurs at IP layer
Each fragment has own IP header
Characteristics:
– Each fragment of a packet has same identification field.
– More Fragments flag set (except on final frag).
– Fragment Offset is offset (8-byte units) of fragment
from beginning of original datagram.
– Total Length field is length of fragment.
CSC 382: Computer Security
Slide #12
Fragment Security Issues
Large Datagrams
– Use multiple fragments that will be re-assembled into a
packet larger than the maximum IP packet size of 64KB.
– example: ping of death
Tiny Fragments
– Break up TCP header into multiple packets to prevent
firewalls/NIDS from seeing header data.
– Minimum fragment size is 68 bytes
• .8 bytes of TCP header (src/dest ports) in 1st fragment,
• SYN and ACK flags would be in second.
CSC 382: Computer Security
Slide #13
Fragment Security Issues
Overlapping Fragments
– Fragment offsets overlap, so during reassembly, second
packet is copied over part of TCP header, allowing true
header to be hidden in second packet while firewall
reads misleading header data from first packet.
– Denial of Service: Teardrop attack uses overlapping
fragments to overflow integer in memory copy to crash
Windows 95/NT and Linux <2.0.32 hosts.
Tools
– fragroute, hping
CSC 382: Computer Security
Slide #14
Denial of Service
•
•
•
•
Modes of Attack
SYN Floods
Smurfing
Distributed DOS Attacks
CSC 382: Computer Security
Slide #15
Modes of Attack
1. Network Connectivity
–
SYN Floods
2. Using Your Own Resources Against You
–
echo/chargen spoofing
3. Bandwidth Consumption
–
Smurfing
4. Other Resource Consumption
–
–
email bombs
disk filling by syslog spoofing/anonymous ftp
CSC 382: Computer Security
Slide #16
SYN Floods
Create many half-open connections to target
– Send SYN packet
– Ignore SYN+ACK response
• (May spoof invalid source IP address for each SYN)
Target hosts connection table fills up
– 3 minute timeout for final ACK
– all new TCP connections refused
Detection
– netstat -a -f inet
– Are too many connections in SYN_RECEIVED state?
CSC 382: Computer Security
Slide #17
SYN Flood Defences
• Micro-connections: Allocate few resources (~16
bytes) micro-record until ACK recv’d
• RST Cookies:
– Server sends incorrect SYN+ACK to first client
connection request, eliciting RST as response.
Thereafter, connections from that client are accepted.
• SYN Cookies: Store state in ISN, not on server.
– Compute ISN using hash of src + dst IP addresses and
ports.
– Valid clients will respond with ISN+1, allowing server
to compute connection table entry.
CSC 382: Computer Security
Slide #18
Smurfing
Build special ICMP/UDP echo packet
Forge IP source address to be that of target.
Destination address is a broadcast address.
Each host that receives broadcast will respond
to the spoofed target address with an echo
packet, overwhelming target host.
Most current routers refuse to pass on directed
broadcast packets.
CSC 382: Computer Security
Slide #19
Distributed DOS Attacks
1. Set up DDOS Network
1. Manual compromise by group of crackers.
2. Automated comprise by a worm.
2. Launch Attack
3. Victim networks become unresponsive
Identification difficult due to router/host failures and lack
of logging of packets.
4. Third party effects
Victim responses sent to spoofed IP addresses.
CSC 382: Computer Security
Slide #20
DDOS Attack Diagram
DOS Controller
Zombie
Zombie
Zombie
Victim
CSC 382: Computer Security
Slide #21
Zombie Machines
Accept commands from master server
– attack target
– software updates
Timer for many worms
Semi-automatic often use IRC bot
– IRC bots listen for commands on IRC channel
– Detect: netstat –a –n | grep 6667
Others use web server or unique UDP server.
CSC 382: Computer Security
Slide #22
Filterable and non-Filterable Attacks
Filterable Attacks
– Attack non-essential services (ICMP echo) or
ports (random UDP flood.)
Non-filterable Attacks
– Attack essential services (email or web.)
– Packets may be partially valid for targeted
protocol.
CSC 382: Computer Security
Slide #23
DDOS Defences
Detection
– DDOSping
– Zombie Zapper
Prevention
– Check for zombie hosts on your networks.
– TCP/IP configuration against specific DDOS
attacks like smurfing SYN floods.
– Rate limiting/filtering at border routers or ISP.
CSC 382: Computer Security
Slide #24
IPv6 Security: IPsec
Encapsulating Security Payload (ESP)
–
–
–
–
End-to-end secret key encryption.
Integrity and data origin authentication.
Anti-replay features.
Confidentiality (padding, dummy packets.)
Authentication Header (AH)
– Verify where packet came from.
– Check integrity of packet.
IPcomp: IP packet compression
IKE (Internet Key Exchange) Protocol
– Optional: can manually config AH/ESP keys
CSC 382: Computer Security
Slide #25
Discussion Question
Can a protocol like IPsec solve our network
security problems, such as the ones
mentioned earlier in this presentation?
CSC 382: Computer Security
Slide #26
Ping Scanning
Send IP packet to each IP address in a
network, checking for responses.
Scan types
1.
2.
3.
4.
ICMP echo
TCP port 80
TCP/UDP specific port
Fragmented packets
CSC 382: Computer Security
Slide #27
Ping Scanning
> nmap -sP 10.17.0.0/24
Starting nmap 3.50 (
http://www.insecure.org/nmap/ ) at 2004-04-05
13:57 EDT
Host pc_elan.lc3net (10.17.0.1) appears to be up.
Host 10.17.0.31 appears to be up.
Host 10.17.0.35 appears to be up.
Host sun02 (10.17.0.55) appears to be up.
Host sun09 (10.17.0.64) appears to be up.
Host pc208p01 (10.17.0.66) appears to be up.
Host sun14 (10.17.0.80) appears to be up.
Host 10.17.0.241 appears to be up.
Host 10.17.0.247 appears to be up.
Nmap run completed -- 256 IP addresses (54 hosts
up) scanned in 4.510 seconds
CSC 382: Computer Security
Slide #28
Defences
Firewalls
– Refuse ICMP echo ingress.
– Restrict TCP ports to necessary servers
• port 80 only to web server
• port 25 only to mail server
Bypassing defences
– Multiple sweeps with different target ports.
– ICMP timestamp and netmask request queries.
– Fragment scans.
CSC 382: Computer Security
Slide #29
Ping Scan vs Firewall
Firewall Ruleset
– pass from any to 10.0.17.31 port 53
– pass from any to 10.0.17.35 port 25
– drop all
> nmap -sP 10.17.0.0/24
Starting nmap 3.50 at 2004-04-05 13:57
Nmap run completed -- 256 IP addresses (0
hosts up) scanned in 72.430 seconds
CSC 382: Computer Security
Slide #30
Ping Scan vs Firewall
Firewall Ruleset
– pass from any to 10.0.17.31 port 25 keep state
– pass from any port 53 to any keep state
– drop all
> nmap -sP –PS25 10.17.0.0/24
– bypasses first rule, finds any hosts listening on port 25
> nmap -sP –g 53 10.17.0.0/24
– bypasses second rule, as packets look like DNS
response
CSC 382: Computer Security
Slide #31
Port Scanning
Method of discovering exploitable
communication channels by probing
networked hosts to find which TCP and
UDP ports they’re listening on.
CSC 382: Computer Security
Slide #32
nmap TCP connect() scan
> nmap -sT at204m02
(1645 ports scanned but not shown are in state: closed)
PORT
STATE SERVICE
22/tcp
open ssh
80/tcp
open http
111/tcp
open rpcbind
443/tcp
open https
515/tcp
open printer
2049/tcp
open nfs
4045/tcp
open lockd
5432/tcp
open postgres
5901/tcp
open vnc-1
6000/tcp
open X11
32775/tcp open sometimes-rpc13
Nmap run completed -- 1 IP address (1 host up) scanned in
43.846 seconds
CSC 382: Computer Security
Slide #33
TCP connect() scan
Use connect() system call on each port, following
normal TCP connection protocol (3-way
handshake).
connect() will succeed if port is listening.
Advantages: fast, requires no privileges
Disadvantages: easily detectable and blockable.
CSC 382: Computer Security
Slide #34
TCP SYN Scan
Send SYN packet and wait for response
– SYN+ACK
• Port is open
• Send RST to tear down connection
– RST
• Port is closed
Advantage: less likely to be logged or blocked
Disadvantage: requires root privilege
CSC 382: Computer Security
Slide #35
Stealth Scans
Send illegal flag combinations
– No response
• Port is open
– RST
• Port is closed.
Example combinations
– FIN
– XMAS (FIN + URG + PUSH)
– NULL (none)
CSC 382: Computer Security
Slide #36
Fragmentation Scan
Modify TCP stealth scan (SYN, FIN, Xmas,
NULL) to use tiny fragmented IP datagrams.
Advantages: increases difficulty of scan
detection and blocking.
Disadvantages: does not work on all Oses, and
may crash some firewalls/sniffers.
CSC 382: Computer Security
Slide #37
Idle Scan
Use intermediate “idle” (zero traffic) host.
Host must increment IP identification header each pkt.
Process
1. Connect to idle host to obtain IP id.
2. Send SYN packet to port X of target host with
spoofed IP of idle host.
3. If port is open, target host will send SYN+ACK to idle
host.
4. Connect to idle host to obtain updated IP id
5. If IP id incremented, port X on target was open
Advantage: no IP packets from your IP address.
CSC 382: Computer Security
Slide #38
Version Scanning
Port scanning reveals which ports are open
– Guess services on well-known ports.
How can we do better?
– Find what server: vendor and version
– telnet/netcat to port and check for banner
– Version scanning
CSC 382: Computer Security
Slide #39
nmap version scan
> nmap -sV at204m02
(The 1645 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
22/tcp
open ssh
OpenSSH 3.7.1p2 (protocol 1.99)
80/tcp
open http Apache httpd 2.0.48 (mod_python/3.1.3 … DAV/2)
111/tcp open rpcbind 2-4 (rpc #100000)
443/tcp open ssl/http Apache httpd 2.0.48 (mod_python/3.1.3 … DAV/2)
515/tcp open printer?
2049/tcp open nfs
2-3 (rpc #100003)
4045/tcp open nlockmgr 1-4 (rpc #100021)
5432/tcp open postgres?
5901/tcp open vnc
VNC (protocol 3.3)
6000/tcp open X11?
32775/tcp open status 1 (rpc #100024)
CSC 382: Computer Security
Slide #40
OS Fingerprinting
Identify OS by specific features of its
TCP/IP network stack implementation.
–
–
–
–
Explore TCP/IP differences between OSes.
Build database of OS TCP/IP fingerprints.
Send set of specially tailored packets to host
Match results to identical fingerprint in db to
identify operating system type and version.
• Xprobe uses fuzzy matching techniques.
CSC 382: Computer Security
Slide #41
nmap OS fingerprint examples
> nmap –O at204m02
...
Device type: general purpose
Running: Sun Solaris 8
OS details: Sun Solaris 8
Uptime 10.035 days (since Sat Mar 27 08:59:38
2004)
> nmap –O 10.17.0.1
…
Device type: router
Running: Bay Networks embedded
OS details: Bay Networks BLN-2 Network Router or
ASN Processor revision 9
CSC 382: Computer Security
Slide #42
Passive Fingerprinting
Identify OSes of hosts on network by sniffing
packets sent by each host.
Use similar characteristics as active technique:
TTL
MSS
Initial Window Size
Don’t Fragment bit
Tools: p0f
CSC 382: Computer Security
Slide #43
Fingerprinting Defences
Detection
NIDS
Blocking
Firewalling
Some probes can’t be blocked.
Deception
IPpersonality changes Linux TCP/IP stack
signature to that of another OS in nmap db.
CSC 382: Computer Security
Slide #44
Firewalls
1.
2.
3.
4.
5.
6.
7.
What is a firewall?
Types of Firewalls
Packet Filtering
Proxying
Firewall Architectures
Bastion Hosts
Tunneling and VPNs
CSC 382: Computer Security
Slide #45
What is a Firewall?
A software or hardware component that
restricts network communication between
two computers or networks.
In buildings, a firewall is a fireproof wall
that restricts the spread of a fire.
Network firewall prevents threats from
spreading from one network to another.
CSC 382: Computer Security
Slide #46
Internet Firewalls
Many organizations/individuals deploy a firewall
to restrict access to their network from Internet.
CSC 382: Computer Security
Slide #47
What is a Firewall? (2)
A mechanism to enforce security policy
– Choke point that traffic has to flow through.
– ACLs on a host/network level.
Policy Decisions:
– What traffic should be allowed into network?
• Integrity: protect integrity of internal systems.
• Availability: protection from DOS attacks.
– What traffic should be allowed out?
• Confidentiality: protection from data leakage.
CSC 382: Computer Security
Slide #48
Types of Firewalls
Packet Filters
– Access control based on layer 2+3 (IP +
TCP/UDP) headers, such as source and dest
address and port.
Circuit-level Gateways
– TCP (layer 3) gateway
– Relay computer copies byte stream from client
to server and vice versa.
Application Gateways
– Application protocol gateway.
CSC 382: Computer Security
Slide #49
Packet Filtering
Forward or drop packets based on TCP/IP header
information, most often:
–
–
–
–
–
IP source and destination addresses
Protocol (ICMP, TCP, or UDP)
TCP/UDP source and destination ports
TCP Flags, especially SYN and ACK
ICMP message type
Dual-homed hosts also make decisions based on:
– Network interface the packet arrived on.
– Network interface the packet will depart on.
CSC 382: Computer Security
Slide #50
Filter Actions
Pass
– Forward acceptable packet on to destination.
Drop
– Drop unacceptable packets.
Log
– Record action taken on packet.
– Use syslog to log to internal loghost.
CSC 382: Computer Security
Slide #51
Where to Packet Filter?
Gateway Router
– Filtering at interface between networks allows
control via a choke point.
– Can filter spoofed IP addresses.
Host
– Filter packets on each individual computer.
– How to manage thousands of packet filters?
CSC 382: Computer Security
Slide #52
Ingress/Egress Filtering
Block spoofed IP addresses
Ingress Filtering
Drop packets arriving on external interface
whose source IP addresses claims to be from
internal network.
Egress Filtering
Drop packets arriving on internal interface
whose source IP address is not from internal
network.
CSC 382: Computer Security
Slide #53
Creating a Packet Filter
1. Create a security policy for a service.
ex: allow only outgoing telnet service
2. Specify security policy in terms of which
types of packets are allowed/forbidden.
3. Write packet filter in terms of vendor’s
filtering language.
CSC 382: Computer Security
Slide #54
Example: outgoing telnet
• TCP-based service
• Outbound packets
– Destination port is 23
– Source port is random port >1023
– Outgoing connection established by first packet with
no ACK flag set.
– Following packets will have ACK flag set.
• Incoming packets
– Source port is 23, as server runs on port 23.
– Dest port is high port used for outbound packets.
– All incoming packets will have ACK flag set.
CSC 382: Computer Security
Slide #55
Example: outgoing telnet
1. Rule allows outgoing telnet packets.
2. Rule allows response packets back in.
3. Rule denies all else, following Principle of FailSafe Defaults.
Dir
Src
Dest
Proto S.Port
D.Port ACK? Action
Out
Int
Any
TCP
>1023
23
Either
Accept
In
Any
Int
TCP
23
>1023
Yes
Accept
Any
Any
Any
Any
Either
Deny
Either Any
CSC 382: Computer Security
Slide #56
Example: outgoing telnet
Fedora Linux /etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -m state --state NEW m tcp -p tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state
ESTABLISHED,RELATED –m tcp –d tcp
–
sport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT
CSC 382: Computer Security
Slide #57
Limitations/Problems
• Must know details of TCP/UDP port usage
of protocol to create filters.
• Applications only identified by port number
– What if external host is running a different TCP
protocol on port 23?
• Order of rules important
– Difficulties when adding a new service filter to
an existing ruleset.
CSC 382: Computer Security
Slide #58
Example: SMTP
Policy: Allow incoming and outgoing SMTP, deny
all other services.
Dir
In
Src
Ext
Dest
Int
Proto S.Port
TCP Any
D.Port ACK? Action
25
Either Accept
Out
Int
Ext
TCP
Any
>1023
Either
Accept
Out
Int
Ext
TCP
Any
25
Either
Accept
In
Ext
Int
TCP
Any
>1023
Either
Accept
Any
Any
Any
Any
Either
Deny
Either Any
CSC 382: Computer Security
Slide #59
Example: SMTP
•
•
•
•
Rules 1+2 allow outgoing SMTP.
Rules 3+4 allow incoming SMTP.
Rule 5 denies all other protocols.
Problem:
– What about external user attacking an internal
X server on port 23?
– Rules 2 + 4 allows all connections where both
ends use ports >1023
CSC 382: Computer Security
Slide #60
Example: SMTP
Solution: Revise rules to consider source port and
ACK flag.
Dir
In
Src
Ext
Dest
Int
Proto S.Port
TCP >1023
D.Port ACK? Action
25
Either Accept
Out
Int
Ext
TCP
25
>1023
Yes
Accept
Out
Int
Ext
TCP
>1023
25
Either
Accept
In
Ext
Int
TCP
25
>1023
Yes
Accept
Any
Any
Any
Any
Either
Deny
Either Any
CSC 382: Computer Security
Slide #61
Stateful Packet Filters
• Saves packet data to keep state, in order to
reconstruct connection at IP level
– Even though UDP has no ACK flag, can
construct connection by remembering outgoing
packet for UDP 53 (DNS) and know that a
response should come from that port to the
source port of original packet.
• Can examine packets at application layer
– Examine FTP packet stream for PASV/PORT
commands to find return port for ftp data
stream.
CSC 382: Computer Security
Slide #62
Packet Filtering Summary
Advantages:
– One packet filter can protect an entire network
– Efficient (requires little CPU)
– Supported by most routers
Disadvantages:
– Difficult to configure correctly
• Must consider rule set in its entirety
– Difficult to test completely
– Performance penalty for complex rulesets
• Stateful packet filtering much more expensive
– Enforces ACLs at layer 2 + 3, without knowing any
application details
CSC 382: Computer Security
Slide #63
Proxy Servers
Proxy host relays Transport/App connections
– Client makes connection to proxy.
– Proxy forwards connection to server.
Proxy provides:
– Access Control
• Proxies specified src + dest ports / IP addrs.
– Logging
– Anonymity
CSC 382: Computer Security
Slide #64
Example: SOCKS v5
• Socks Server
• Socks Client Library
– Clients must be linked against library.
– Library offers replacements for UNIX network
socket system calls.
• User Authentication Protocols
– Cleartext username/password.
– GSS-API authentication.
CSC 382: Computer Security
Slide #65
Circuit Gateways
Advantages:
– User-level authentication possible.
– Efficient logging, as proxy deals with circuit
connections instead of individual packets.
Disadvantages:
– Clients have to be recompiled or reconfigured to use
proxy service.
– Some services can’t be proxied.
– Cannot protect you from all protocol weaknesses.
CSC 382: Computer Security
Slide #66
Single Host Firewall
Simplest type of firewall—one host acts as a
gateway between internal and external networks.
CSC 382: Computer Security
Slide #67
Types of Single Host Firewall
Screening Router
–
–
–
–
Organizations already have a router
Most routers have packet filtering capabilities
Advantages: cheap, simple
Disadvantages: can only do packet filtering
Dual-homed Host
– Server with two NICs
– Advantages
• Configurable: packet filter, circuit proxy, app proxy
– Disadvantages
• Lower performance than router
CSC 382: Computer Security
Slide #68
Screened Subnet
Isolates internal network from external networks
by means of a perimeter network, called a DMZ.
CSC 382: Computer Security
Slide #69
Screened Subnet
Bastion hosts isolated from internal network
– Compromise of a bastion host doesn’t directly
compromise internal network.
– Bastion hosts also can’t sniff internal traffic, since
they’re on a different subnet.
No single point of failure
– Attacker must compromise both exterior and interior
routers to gain access to internal net.
Advantages: greater security
Disadvantages: higher cost and complexity
CSC 382: Computer Security
Slide #70
Screened Subnet
External Access
– Filtered: via interior + exterior routers
– Proxied: use a bastion host as a proxy server
Bastion Hosts
–
–
–
–
Proxy server
External web/ftp servers
External DNS server
E-mail gateway
CSC 382: Computer Security
Slide #71
Screened Subnet
Exterior Router
– Simple filtering rules
• Ingress/Egress Filtering
• DOS prevention
• Simple ACLs
– May be controlled by ISP
Interior Router
– Complex filtering rules.
– Must protect internal network from bastion hosts as
well as external network.
Recommendation: use different hardware/software
for interior and exterior routers.
CSC 382: Computer Security
Slide #72
Tunneling
Tunneling: Encapsulation of one network
protocol in another protocol
– Carrier Protocol: protocol used by network
through which the information is travelling
– Encapsulating Protocol: protocol (GRE, IPsec,
L2TP) that is wrapped around original data
– Passenger Protocol: protocol that carries
original data
CSC 382: Computer Security
Slide #73
ssh Tunneling
SSH can tunnel TCP connections
– Carrier Protocol: IP
– Encapsulating Protocol: ssh
– Passenger Protocol: TCP on a specific port
POP-3 forwarding
ssh -L 110:pop3host:110 -l user pop3host
– Uses ssh to login to pop3host as user
– Creates tunnel from port 110 (leftmost port #) on
localhost to port 110 (rightmost post #)of pop3host
– User configures mail client to use localhost as POP3
server, then proceeds as normal
CSC 382: Computer Security
Slide #74
Virtual Private Network (VPN)
• Two or more computers or networks
connected by a private tunnel through a
public network (typically the Internet.)
• Requirements:
– Confidentiality: encryption
– Integrity: MACs, sequencing, timestamps
• Firewall Interactions
– Tunnels can bypass firewall
– Firewall is convenient place to add VPN features
CSC 382: Computer Security
Slide #75
Firewall Limitations
Cannot protect from internal attacks
– May be able to limit access with internal
firewalls to a segment of your network.
Cannot protect you from user error
– Users will still run trojan horses that make it
past your AV scanner.
Firewall mechanism may not precisely
enforce your security policy.
CSC 382: Computer Security
Slide #76
Key Points
• Almost everything is spoofable.
• Denial of service attacks are easy.
• Port scanning
– Stealth
– OS Fingerprinting
• Firewalls
– Packet filtering
– Proxying
– DMZ
CSC 382: Computer Security
Slide #77
References
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Steven Bellovin, “Security Problems in the TCP/IP Protocol Suite”, Computer
Communication Review, Vol. 19, No. 2, pp. 32-48, April 1989.
Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005.
William Cheswick, Steven Bellovin, and Avriel Rubin, Firewalls and Internet
Security, 2nd edition, 2003.
Fyodor, “The Art of Port Scanning,”
http://www.insecure.org/nmap/nmap_doc.html
Fyodor, NMAP man page,
http://www.insecure.org/nmap/data/nmap_manpage.html
Fyodor, “Remote OS detection via TCP/IP Stack FingerPrinting,” Phrack 54,
http://www.insecure.org/nmap/nmap-fingerprinting-article.html
Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and
Internet Security, 3rd edition, O’Reilly & Associates, 2003.
Johnny Long, Google Hacking for Penetration Testers, Snygress, 2004.
Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed, 3rd edition,
McGraw-Hill, 2001.
Ed Skoudis, Counter Hack, Prentice Hall, 2002.
Elizabeth Zwicky, Brent Chapman, Simon Cooper, Building Internet Firewalls,
2nd edition, O’Reilly & Associates, 2000.
CSC 382: Computer Security
Slide #78
Related documents
TCP/IP Configuration
TCP/IP Configuration
CSS 5xx: Advanced Database Management
CSS 5xx: Advanced Database Management
The Internet and the World Wide Web
The Internet and the World Wide Web
CLIENT SERVER ARCHITECTURE
CLIENT SERVER ARCHITECTURE
Proposed Differentiated Services on the Internet
Proposed Differentiated Services on the Internet
CSC 386 Operating Systems Concepts
CSC 386 Operating Systems Concepts
Firewall Configuration
Firewall Configuration
chap01 - cknuckles
chap01 - cknuckles
How the Internet Works
How the Internet Works
Basic Network Concepts
Basic Network Concepts