Transcript Internal Network - University Of Worcester

COMP3123
Internet Security
Richard Henson
University of Worcester
November 2010
Week 6: Securing a LAN
connected to the Internet
against Attack

Objectives:
Explain what a Firewall is, why it is
needed, and why users find it frustrating…
Explain what a Proxy Service is, and why it
can be a more flexible solution than a
firewall
Relate the principles of IP and TCP port
filtering to the challenge posed by threats
to LAN server security from Internet
Unsecured LAN-Internet
Connection via Router
INTERNET/EXTERNAL NETWORK
ROUTER – no packet filtering
Internal
Network
...
An Unsecured LAN-Internet
Connection via Router
Layer 3
Layer 2
Layer 3
Data
through
unchanged
Layer 1
Layer 2
Layer 1
router
An Unsecured LAN-Internet
Connection via Router

Routers only process data up to OSI level 3
 even with full user authentication on network services…
» outgoing IP packets are untouched unless IP filtering is used
 BUT, IP filtering will slow down packet flow…

Also…
 request by a LAN client for Internet data across a router
reveals the client IP address
» this is a desired effect….
» “local” IP address must be recorded on the remote server
» picks up required data & returns it via the router and server to
the local IP address
 problem – could be intercepted, and future data to that
IP address may not be so harmless…
An Unsecured LAN-Internet
Connection via Router

Another problem: wrath of IANA
 IP address awarding & controlling body
 big penalties if ANY internal LAN IP address
conflicts with an existing Internet IP address they
allocated…

If local clients have direct access to the
Internet and they can be allocated locally,
this COULD happen
 Safeguard:
» use DHCP (dynamic host configuration protocol)
» allocate client IP from within a fixed range allocated to
that domain by IANA
A LAN-Internet connection
via Gateway
INTERNET/EXTERNAL NETWORK
e.g. TCP/IP
GATEWAY – packet conversion
e.g. Novell IPX/SPX
Internal
Network
...
A LAN-Internet connection
via Gateway

At a gateway, processing goes up the
protocol stack:
 to at least level 4
 Possibly right up to level 7

Because local packets can be converted into
other formats:
 remote network therefore does not have direct
access to the local machine
 IP packets only recreated at the desktop
 local client IP addresses therefore do not need to
comply with IANA allocations
Creating a “Secure Site”?

To put it bluntly – a secure site is a LAN that
provides formidable obstacles to potential
hackers
 keep a physical barrier between local server and
the internet

Physical barrier linked through an
intermediate computer called a Firewall or
Proxy Server
 may place unnecessary restrictions on access
 security could be provided at one of the seven
layers of the TCP/IP stack
Security Architecture &
Secure sites

This includes all aspects of security controls
 can be imposed on internal users through group
policy objects
 external attempts to hack cannot be controlled in
this way, because they are not authorised users

What about external threats?
 need to focus on external data and security
controls to deal with it…
The Firewall…
INTERNET/EXTERNAL NETWORK
No data
in…
TCP/IP out
Firewall
TCP/IP
Internal
Network
...
Using a Firewall to secure
Routed Connections

Completely separate local network data from
Internet data using a physical barrier:
 Firewall (robust but inflexible)
 Proxy Server (flexible)

Either solution will have a similar
safeguarding effect to using a gateway:
 client IP addresses will not interact with the
Internet
 therefore do not need to be IANA approved
 but makes good sense to use DHCP anyway…
What is a Firewall?

“A set of components that restricts
access between a protected network
and the Internet”
therefore divides a potential internetwork
into internal and external components:
» Internal Network


under consideration from a security point of view
kept logically separate from the Internet
» External Network

Generally assumed to be the Internet or network that
cannot be secured
A Firewall should…

Protect the network from:
 TCP/IP attacks, probes and scans
 denial of service attacks
 malicious code such as viruses, worms and
trojans

Provide, depending upon the security policy
and the type of firewall used:
 Network Address Translation (NAT)
 authentication or encryption services
 web filtering

To do this, it must be appropriately
configured…
The Screening Router
X
Blocked
Services
Screening Router
Screening Routers

Every IP packet contains:
IP address of source
IP address of destination
source and destination TCP port(s)
protocol being used (e.g. FTP, SMTP, etc)
A router simply routes the packet
towards its destination address
 A screening router:

scrutinises whole packet headers
decides what to do with the packet
The Screening Router

Packets checked individually
 therefore requires more processing power than a
standard router

Once a packet has been scrutinised, the
screening router can take one of three
actions:
 block the packet
 forward it to the intended destination
 forward it to another destination

IP addresses on the internal network can
therefore be “protected” from external packets
with a particular source address
The Proxy Server
Real server
Firewall with
Proxy service
Request to
proxy
server
Internal
Network
...
The Proxy Server

A firewall that offers a client-server “proxy”
service
 allows the firewall to act as an intermediate party
between the Internet and local network services:
» intercepts user (client) requests for services such as FTP
» decides whether or not to forward them to the true server

The effect is that the internal and external
computers talk to the proxy service rather
than directly to each other
Proxy Service - continued

The user on either side of the firewall is
presented with an illusion that they are talking
to a real server
 in fact they are both dealing with a proxy

So if an outside user tries to “hack” into the
network server…
 the actual internal network architecture is hidden

A proxy server can be programmed to block
certain requests, sites, actions e.g:
 blocking certain WWW sites
 preventing FTP downloads
DMZ (Demilitarized Zone)


Beyond the firewall but not yet through the
Internet Router/Gateway…
A router normally stops incoming Internet traffic
from getting on your network
 unless the traffic is in response to one of your
computers
 or when using port forwarding

Alternately…
 incoming traffic can go to one computer on your
network by establishing a "Default DMZ Server“
(humorous reference to "Demilitarized Zone")
 avoids having to figure out what ports an Internet
application wants
» all ports are open for that computer…
Bastion Host




Acts as a firewall, and also runs the proxy
and other services
Main or only point of contact between users
of an internal network and the external
network
Must be highly secured because it is
vulnerable to attack
External logins to the Bastion Host must not
be allowed as user accounts represent an
easy way to attack networks…
Dual Homed Host



Based on dual homed computer (2+
interfaces)
Does NOT allow through routing of packets
Communication through the DHH occurs as
follows:
 via proxies
 Users login to DHH

However:
 logging in of users to DHH will create further
security problems…
 Not all Internet services can be proxied for
technical reasons
Dual Homed Host
INTERNET
** Firewall **
Dual-homed
Host with proxy
services
Screened Host

Uses a screening router
can block certain types of service

Routes packets to internal bastion only
may act as a proxy for services

Disadvantage:
if the internal bastion is hacked into
then other computers on the internal
network can then easily be accessed
Screened Host
INTERNET
X
Blocked
Services
Firewall
Screening Router
Bastion Host
(Proxy Services)
Typical Types of
External Attacks - 1

Exhaustive
 “brute force” attacks using all possible
combinations of passwords to gain access

Inference
 taking educated guesses on passwords, based on
information gleaned

TOC/TOU (Time of check/use)
 1. use of a “sniffer” to capture log on data
 2. (later) using captured data & IP address in an
attempt to impersonate the original user/client
Typical Types of
External Attacks - 2

Three other types of attacks that
firewalls should be configured to
protect against:
 denial of service (DOS) attacks
 distributed denial of service (DDOS)
attacks
 IP Spoofing (pretence that the data is
coming from a “safe” source IP address
Firewalls and TCP, UDP ports

Remember this model?
TELNET
FTP
NFS
SMTP
TCP
DNS
UDP
IP
SNMP
TCP ports that may be open
to attack

TCP and UDP ports
 both important features of TCP/IP
 provide logical links for passing data between the
transport layer and an application layer service


Usually defined by an RFC (remember those?)
Examples:
 FTP: port 21
 SMTP: port 25
 HTTP: port 80

Telnet: port 23
DNS: port 53
POP3: port 110
Problem…
 what if the service isn’t being used?…
Blocking TCP ports with a
Firewall

Very many TCP and UDP ports:
 0 - 1023 are tightly bound to application services
 1024 – 49151 more loosely bound to services
 49152 – 65535 are private, or “dynamic”


In practice, any port over 1023 could be
assigned dynamically to a service…
One of the more useful features of a firewall is
that ports can be configured, and therefore
data flow can be monitored and controlled
Blocking TCP ports
with a Firewall

Generally, TCP ports should be:
EITHER open for a service (e.g. HTTP on
port 80)
OR… blocked if no service, to stop
opportunists

But if the firewall only allows “official
services” this can cause problems for
legitimate users
e.g. if port 25 is blocked, email data
cannot be sent
Protecting Against TCP/IP
Attacks, Probes and Scans

TCP/IP protocol stack has been
largely unchanged since the early
1980's:
more than enough time for hackers to
discover their weaknesses
Often attack through a particular TCP
port
TCP Port 21: FTP (File
Transfer Protocol)

FTP servers excellent
 BUT by their very nature they open up very big
security holes
 those that allow anonymous logins are used:
» to launch attacks on the server itself, by connecting to the
C: drive and downloading viruses or overwriting/deleting
files
» to store pirated files and programs

Precaution:
 configure FTP servers NOT to accept anonymous
logins
 only allow access to port 21 through the firewall to
that particular server
Making Effective use
of the DMZ
 Ever better alternative for port 21 security:
» place FTP server on a perimeter network, or "DMZ" of
the firewall
 A DMZ is used to segregate inherently insecure
servers that require a higher degree of network
access from the rest of your network
» an FTP server on a DMZ that has been compromised will
then not be able to be used to attack the rest of the
network
» of course, if there is no FTP server, a DMZ might not be
necessary…
TCP Port 23: Telnet

Telnet is really good for providing access to
servers and other devices
 accessing a server via Telnet is very much like being
physically located at the server console

Protecting against Telnet is simple:
 block ALL access to port 23 from the outside
 block perimeter networks to the inside

Protecting internal servers from attack from the
inside:
 configure them to accept telnet connections from
very few sources
 block port 23 completely…
TCP Port 25: SMTP

Email programs large, complex, accessible…
 Therefore an easy target…
 Buffer overrun:
» attacker enters more characters – perhaps including
executable code - into an email field (e.g. To: ) than is
expected by an email server
– error could be generated
– hackers could gain access to the server and the network
 SPAM attack:
» protocol design allows a message to go directly from the
originator's email server to the recipient's email server


can ALSO be relayed by one or more mail servers in the middle
BUT… this is routinely abused by spammers
– forward message to thousands of unwilling recipients
Port 25 SMTP: solution…

Buffer Overrun:
Solution: put server on a perimeter
network

Spam Attack
Solution: DISABLE the relaying
facility…
TCP and UDP Port 53: DNS
(Domain Name Service)

One of the core protocols of the Internet
without it, domain name to IP address
translation would not exist

PROBLEMS: If a site hosts DNS,
attackers will try to:
modify DNS entries
download a copy of your DNS records (a
process called zone transfer)
Port 53 DNS: Solution…

Solution:
 configure firewall to accept connections from the
outside to TCP port 53 only from your secondary
DNS server
» the one downstream from you e.g. your ISP
 consider creating two DNS servers: one on your
perimeter network, the other on the internal
network:
» perimeter DNS will answer queries from the outside
» internal DNS will respond to all internal lookups
» configure a Stateful inspection firewall to allow replies to
internal DNS server, but deny connections being initiated
from it
TCP Port 79: Finger

A service that enumerates all the
services you have available on your
network servers:
invaluable tool in probing or scanning a
network prior to an attack!

To deny all this information about
network services to would-be attackers,
just block port 79…
TCP Ports 109-110: POP
(Post Office Protocol)

POP easy-to-use…
but sadly it has a number of insecurities

The most insecure version is POP3
which runs on port 110
if the email server requires POP3, block all
access to port 110 except to that server
if POP3 not used, block port 110 entirely…
TCP Ports 135 and 137
NetBIOS

The Microsoft Windows protocol used
for file and print sharing
last thing you probably want is for users on
the Internet to connect to your servers' files
and printers!

Block NetBIOS. Period!
UDP Port 161 SNMP

SNMP is important for remote management
of network devices:
 but also it poses inherent security risks
 stores configuration and performance parameters
in a database that is then accessible via the
network…


If network is open to the Internet, hackers can
gain a large amount of very valuable
information about the network…
So… if SNMP is used:
 allow access to port 161 from internal network
only
 otherwise, block it entirely
Denial of Service (DoS) Attacks
An attempt to harm a network by
flooding it with traffic so that network
devices are overwhelmed and unable to
provide services.
 One of the primary DOS attacks uses
Ping, an ICMP (Internet Control
Message Protocol) service:

sends a brief request to a remote computer
asking it to echo back its IP address
“Ping” Attacks


Dubbed the "Ping of Death“
Two forms:
 the attacker deliberately creates a very large ping
packet and then transmits it to a victim
» ICMP can't deal with large packets
» the receiving computer is unable to accept delivery and
crashes or hangs
 an attacker will send thousands of ping requests
to a victim so that its processor time is taken up
answering ping requests, preventing the processor
from responding to other, legitimate requests

Protection:
 block ICMP echo requests and replies
 ensure there is a rule blocking "outgoing time
exceeded" & "unreachable" messages
Distributed Denial of Service
Attacks/IP Spoofing

Related :
 A DDOS attack has occurred when attackers gain
access to a wide number of PCs and then use
them to launch a coordinated attack against a
victim
» often rely on home computers, since they are less
frequently protected (they can also use worms and
viruses)
 If IP spoofing is used, attackers can gain access to
a PC within a protected network by obtaining its IP
address and then using it in packet headers
Protection against DDOS
& IP Spoofing


Block traffic coming into the network that contains
IP addresses from the internal network…
In addition, block the following private IP, illegal
and unroutable addresses:
 Illegal/unroutable:
» 255.255.255.255, 27.0.0.0, 240.0.0.0, & 0.0.0.0
 “Private” addresses useful for NAT, or Proxy Servers (RFC 1918):
» 10.0.0.0-10.255.255.255
» 172.16.0.0-172.31.255.255
» 192.168.0.0-192.168.255.255

Finally, keep anti-virus software up-to-date, &
firewall software patched and up-to-date