what are the three "core/key skills"?
Download
Report
Transcript what are the three "core/key skills"?
COMP3123
Internet Security
Richard Henson
University of Worcester
December 2009
Week 10 Malicious Code:
Securing the TCP/IP stack
Objectives:
Explain how stateless IP filtering can be a useful
tool for protecting networks against hackers
Discuss the limitations of stateless IP filtering and
how these are overcome by the use of stateful IP
filtering
Summarise the various techniques that can be
used to combat data security threats
Develop procedures for use in an organisation
Develop a strategy to sell a security policy to the
work force
Datagrams, Packets and the
Transport Layer
A transport layer datagram is up to 64K long
For the IP layer, and routing purposes it is
fragmented into smaller packets
When the data reaches its destination, the IP
packets need to be reassembled at the
transport layer into the original datagram
It is the IP packets that are physically routed
around the network
It is the management of these that we will be
concerned with in this lecture…
TCP and IP packets
head
payload (data)
TCP packet
Extra header
fields
IP Packets
More about IP packets
header
20 bytes
payload (data)
Variable: typically 768 bytes
Standard IP Packet Header
The header contains a lot of useful data
This is highly structured and organised into
a series of fields so it can be easily read e.g.
Header Length
Total length of packet
Identification
Fragment #
TTL
Protocol (TCP or UDP)
Source Address
Destination Address
Options (e.g. source routing)
IP Packet Filtering
The idea behind packet filtering is a
simple one:
packet header is read
» If source IP address is suspect, packet is
“dumped”
» Else packet is allowed through
This can be done quickly, and the
packet body (or “payload”) doesn’t have
to be processed in any way
Stateless and Stateful
Packet Filters
Stateless filters just read the header and act
do not read the payloads of packets
do not retain the current state of connections
within the session
can’t filter TCP port numbers higher than 1024
Stateful filters remember the state of
connections through recording session
establishment info
Stateless Packet Filters
This was the only type of IP filter available at
one time
Use the IP header only, but this contains a lot
of fields containing data
A firewall can be configured to read fields and
filter according to:
Protocol type
IP address
TCP/UDP port
Sourcing routing information
Fragment number
Filtering by Protocol Type
This field has four possible values:
UDP
TCP
ICMP – Internet Control Message Protocol
IGMP – Internet Group Management Protocol
Each of these protocols maps onto higher
level protocols, so filtering out one can shut off
a lot of services!
Conclusion
Too general, not enough control
Advice: leave this field OPEN (no filtering)
Filtering by IP address
Normally focuses on the source IP address
field:
Can allow all IP addresses except…
Or deny all IP addresses except…
The latter is an excellent way of safeguarding
the local network but would be unpopular as
far as surfing the web is concerned!
More flexible firewalls allow IP addresses to
be restricted on a “per protocol” basis e.g.
No IP address filtering on port 80
Only local IP addresses can use port 23
IP Filtering by TCP/UDP port
Also known as “protocol filtering”
The Level 4 port field is a number,
corresponding to a higher level protocol name
Can be used in the same way as IP address
filtering (allow… deny…)
Problem: Fragmentation
Fragmentation
Large TCP packets are be broken into a series
of numbered IP fragments
Only the first fragment (numbered 0) has a
TCP/UDP port field
Rest of fragments therefore can’t be filtered by
protocol
Earlier firewalls let them through because they
are useless without the “parent” packet
however, instances whereby hackers have
reassembled them
therefore higher fragment numbers in this category
should also be filtered
IP Filtering by TCP/UDP port
Certain protocols are favourites for hackers
e.g:
Telnet
NetBIOS
POP3
NFS
Windows Terminal Services
Should be blocked, unless being legitimately
used to provide services
Filtering by Source Routing
Information
This field gives information about the route
taken by the packet
Handled in two ways:
Loose source routing
» Mentions only a small number of intermediate IP
addresses
Strict source routing
» Provides an exact route
However:
hackers can use source routing to confuse
no higher level protocols actually use source
routing – any such information should therefore be
deleted as a precautionary measure
Stateful IP filtering
Using this more exhaustive technique:
the payload of a packet can also be read
» thus, the fingerprint of a virus or trojan can be
identified
the firewall stores connection information in
state tables
TCP ports above 1024 can be read and
filtered out if required
A Good Filtering Strategy
Use stateful IP filtering:
to filter entire communication streams
Do not allow any TCP services through
EXCEPT:
those that are specifically allowed (e.g port
80)
those that are part of connections that are
sill in the state tables
» no entry in state table – drop packet!
Internal Network Address
Translation (NAT)
Another potential way in for IP hackers
external packets undergo protocol translation
before they can travel along the local network
this means a unfiltered port eg 8080 can be
changed to a filter port eg 23 and then passed to a
local server…
Trojan Horses use this strategy to hack
through the firewall and get to the internal
network
Security-enhancing use of
NAT
NAT was defined by the IETF as RFC #1631
The purpose of NAT is to convert local private
IP addresses into globally unique public IP
addresses than can be used on the Internet
on the one hand this provides opportunities for
trojan horses
on the other hand, it hides all TCP/IP information
relating to the internal network from would-be
hackers or anyone else on the Internet
this means that any group of IP addresses under
the sun can be used on the local network
More about NAT
Reduced the demand for IPv6 in the
short term
A single external IP address can be
used for a 5000 computer network!
IANA (now part of ICANN) used RFC
#1918 to allocate particular IP address
ranges for private use such as NAT:
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
Masquerading NAT
Outbound packets are translated to the
public/routable IP address of the firewall and
may need to be given a different source port
(if the original port is already in use on the
firewall)
Called "masquerading" because all outbound
connections appear to be originating on the
firewall itself
Inbound connections cannot be accepted
because the firewall doesn't know which
client to send them to
Non-Masquerading NAT
Each private IP address on a client has a
corresponding public/routable IP address on
the firewall
NAT translation is done one-to-one between
pairs of public and private IP addresses
Port numbers remain unchanged
Needed for protecting servers with the
Logical Firewall (and is the type you get for
clients you've specified to the rule generator)
Inbound connections to clients are accepted
via the client's public/routable IP address on
the firewall
Limitations of NAT
NOT a panacea
does make the internal network invisible
STATIC translation can still be hacked!
Avoid masquerading NAT, if possible
makes it look like the firewall itself is misbehaving if
one of its clients misbehaves
increases the risk that the ISP will disconnect the
firewall rather than the offending client!
Using non-masquerading NAT allows the ISP to
identify and disconnect only the offending client
Summary of Internet Security
Technologies
covered in this Module
Local authentication/logon and denial of
access security
Privacy/Encryption
Global Authentication/Kerberos &
Trusted Networks
Data Protection/Virtual Private
Networks
PKI/Digital certificates
PKI/Secure Sockets Layer
Network Protection/Packet Filtering