Transcript Slides - UTCC e

Firewalls
Firewall
Evil Hackers
Your network
• Firewalls mitigate risk
• Block many threats
• They have vulnerabilities
Firewalls can be your connection to the
Internet. As a prerequisite to this
course you already know about
networking, but it is worthwhile to look
at the interface to the Internet with
respect to security.
Typical Network Stack
•
•
•
•
Application Layer (FTP, HTTP, SSH, etc.)
Transport Layer (TCP, UDP, ICMP)
Internet Layer (IP)
Network Access Layer (Ethernet, FDDI, etc.)
(If you have a Novel or AppleShare network, the IP layer will be different.)
(Carrier Pigeon Network Layer: RFC1149 on 1 April 1990
defines the Avian Transport Protocol)
Packet Organization
Each layer’s packet organization has a
header and data fields.
Each layer treats the information it gets
from the layer above it as data,
i.e. every layer adds a header.
Encapsulation
Application (FTP, HTTP, …)
Data
Header
Transport (TCP,UDP,…)
Header
Internet (IP)
Header
Network (Ethernet)
Ethernet Layer
• Header:
– Packet Type, e.g. IP
– Source Address
Original source or last router on path
– Destination Address
• Final destination or next router
• Maybe multicast or broadcast
– Addresses are Media Access Control (MAC)
• Data is an IP packet
IP Layer
• Header
– IP Source Address, e.g. 35.9.20.20
– IP Destination Address
– IP Protocol Type, e.g. TCP, UDP, ICMP
• Data: TCP packet (or UDP, etc.)
• Fragmentation
If (network max packet size < IP max size)
split data into multiple packets (fragments)
TCP Layer
• Header
– TCP Source Port (2-bytes)
– TCP Destination Port
– TCP Flags: designates packet type
• ACK, SYN, etc.
• Data: application data, e.g. FTP data
Multicast or Broadcast Source
• Legitimate use:
DHCP request uses a broadcast source since
it doesn’t have a valid address
• Illegitimate use:
sending a broadcast source to a single
destination will prompt a broadcast reply
allowing you to use the destination as a
broadcast source
• Since DHCP isn’t external (normally),
block broadcast source
IP Fragmentation
Prevent fragmentation with
path MTU discovery
– Maximum Transmission Unit (MTU)
– Send message with “don’t fragment” set
If (error returned), decrease size
else increase size
Packet Filters & Fragmentation
• Solution: packet filter only first packet
and let non-first packets through
If you drop the first, a higher level
protocol (TCP) will invalidate the rest.
• Problem #1: destination holds non-first
packets waiting for the missing one
(until timeout) resulting in
Denial of Service!
Packet Filter & Fragmentation
• Problem #2: attacker carefully
constructs overlapping fragments so
that non-first packets contain useful
information.
Overlapping fragments may be
reassembled into invalid packets
causing the OS to crash.
Packet Filter & Fragmentation
• Problem #3: Attacker can get
information to otherwise blocked ports
by having valid TCP packets in non-first
fragments which slip through.
Packet Filter & Fragmentation
Solutions
• Fragment reassembly before filtering
Time consuming
• Reject all non-first fragments
May reject otherwise good connections,
but they will retransmit.
• Increased use of MTU is reducing
fragmentation
TCP
TCP is reliable because it guarantees to
the application layer:
– Provide data in order it was sent
– Provide all data sent
– Will not provide duplicates
It will kill a connection before violating any.
Blocking TCP
• To block a TCP connection,
simply block the first packet.
• The first packet is unique: ACK is not set
– “start-of-connection” packet
• Can enforce a policy of only allowing
connections to external servers,
i.e. deny external connection requests to
internal servers
TCP Options
• Common TCP Options:
– ACK (acknowledgement)
– SYN (synchronize)
– RST (reset)
– FIN (finish)
• 3-way handshake uses ACK & SYN
• RST & FIN are used to close connections
TCP Options
Firewalls use ACK and RST
– ACK indicates first packet of connection
– RST tells people to “shut up”
without providing a useful error message
TCP Sequence Numbers
• Sequence numbers allow reconstruction of
correct order of packets
• Supposed to begin with a random number,
but often is not random—vulnerability!
• How to hijack a TCP connection?
Hijacking a TCP Connection
Attackers needs
• Ability to forge TCP/IP packets.
• Initial sequence number
• Knowledge that a TCP connection has started
(but not the ability to see it)
• When the TCP connection started
• Ability to redirect responses to you
OR continue the conversation without
responses to you while achieving your goal
Thought to be too hard, but exists in the wild.
UDP
Since UDP does not guarantee reliability
there is no uniquely identifiable first packet
ICMP
Examples
– Echo Request: send by ping
– Echo Response
– Time exceeded (really hops exceeded)
– Destination unreachable
– Redirect (router redirected a packet and is
telling the sender that a better way exists)
ICMP
“Destination Unreachable” has codes
to indicate reason
The relevant ones are
“Fragmentation Needed” and
“Don’t Fragment”
used for path MTU discovery
Desirable to drop all other “unreachable” replies
since they provide useful information to
scanners.
Most firewalls do not allow discrimination on
ICMP reason.
ICMP Attacks
• ICMP packets should be very small—
large one indicate a problem so filter out
large ones.
• For example, echo packets allow
padding which could contain data.
Not useful for cracking, but could be
used to maintain a connection to a
compromised site.
IP over IP
• Encapsulating IP over IP
– Encrypted traffic
– Mobile IP (movement with fixed IP)
– Burying protocol
• Multicast over non-supporting networks
• IPv6 over IPv4
– VPN: virtual private networks
• Problem: cannot see “actual” IP packet
(encrypted) or may not look at it
Low-level attacks
• Port scanning
– Send SYN without ACK;
receives SYN if open or RST if not
– Send FIN
• “all options on” = Christmas tree (lights it up)
• “all options off” = null
• Either can crash a weak TCP/IP stack
Low-level Attacks
IP Spoofing:
Apparent problem: reply not sent to attacker
– Attacker can intercept reply
– Attacker doesn’t care to see it (e.g. DoS)
– Attacker doesn’t want reply: smurf attack
redirects response to attack while multiplying
replies with broadcast source
Packet Filtering Pro/Con
• Pro
– One filter can protect an entire network
– Simple filtering is efficient
– Widely available
• Con
– Not perfect: hard to configure and test
– Reduces router performance
– Some security policies cannot be enforced,
e.g. block a user
Network Address Translation (NAT)
10.42.6.9
35.9.20.20
NAT
Client
Server
(Linux calls it masquerading)
NAT Pro/Con
• Pro
– Enforces control over outbound connections
– Dynamic translation is more restrictive
changed mapping increases attack difficulty
– Conceals internal configuration
• Con
– Dynamic translation requires maintaining state
(how long to keep connection open?)
– Interferes with some encryption schemes
– Dynamic translation interferes with logging
– Dynamic translation of ports can interfere with filtering