Transcript what are the three "core/key skills"?

COMP3371
Cyber Security
Richard Henson
University of Worcester
December 2015
Week 12: Securing
the TCP/IP stack

Objectives:
 Explain how stateless IP filtering can be a useful
tool for protecting networks against hackers
 Discuss the limitations of stateless IP filtering and
explain how some of these are overcome by the
use of stateful IP filtering
 Summarise the various other techniques that can
be used to combat data security threats
Datagrams, Packets and the
Transport Layer

Transport layer datagram… up to 64K long
 IP layer & routing processes divide into smaller
packets

The IP packets have to be physically routed
around the network


It is the management of these that we will be concerned
with in this lecture…
When the packets reach their destination,
packets need to be reassembled at the
transport layer into the original datagram
TCP and IP packets
head
payload (data)
TCP packet
(up to 64K)
Extra header
fields
IP Packets (up to 768bytes
More about IP packets
header
20 bytes
payload (data)
Typically 768 bytes
Standard IP Packet Header

Highly structured and organised into a
series of fields so it can be easily read
 Lengths
» Header
» Whole packet
 Identification
 Fragment #
 TTL
 Protocol (TCP or UDP)
 Source IP Address
 Destination IP Address
 Options (e.g. source routing method)
Stateless Packet Filtering
packet header is read
» If source IP address is suspect, packet is
“dumped”
» else packet is allowed through
can be done quickly, and the packet
body (or “payload”) doesn’t have to be
processed in any way
Stateful
Packet Filters

Stateless filters just read the header and act
 do not read the payloads of packets
 do not retain the current state of connections
within the session
 can’t filter TCP port numbers higher than 1024

Stateful filters…
 record session establishment info
 remember the state of connections
Stateless Packet Filters

Use the IP header only
 contains a lot of fields & their data

A firewall can be configured to filter according
to contents of various header fields:
 Protocol type
 IP address
 TCP/UDP port
 Sourcing routing information
 Fragment number
Filtering by “Protocol Type”?

Four possible values:
 UDP
 TCP
 ICMP – Internet Control Message Protocol
 IGMP – Internet Group Management Protocol

Each protocol maps onto higher level
protocols
 filtering out one port can shut off a lot of services!

Conclusion
 Too general, not enough control
 Advice: leave this field OPEN (no filtering)
Filtering by IP address

Normally focuses on the source IP address
field:
 can allow all IP addresses except…
 or deny all IP addresses except…

Latter an excellent way of safeguarding the
local network…
 would be unpopular as far as surfing the web is
concerned!

More flexible firewalls allow IP addresses to
be restricted on a “per protocol” basis e.g.
 No IP address filtering on port 80
 Only local IP addresses can use port 23
IP Filtering by TCP/UDP port

Also known as “protocol filtering”

The Level 4 port field is a number,
corresponding to a higher level protocol name
 e.g port 21: FTP


Uused in the same way as IP address filtering
(allow… deny…)
Problem: Fragmentation
Fragmentation




Large TCP packets are be broken into a series
of numbered IP fragments
Only the first fragment (numbered 0) has a
TCP/UDP port field
Rest of fragments therefore can’t be filtered by
protocol
Earlier firewalls let them through because they
are useless without the “parent” packet
 however, instances whereby hackers have
reassembled them
 therefore higher fragment numbers in this category
should also be filtered
IP Filtering by TCP/UDP port

Certain protocols are favourites for hackers
e.g:
 Telnet
 NetBIOS
 POP3
 NFS
 Windows Terminal Services

Should be blocked, unless being legitimately
used to provide services
Filtering by “Source Routing
Information”


This field gives information about the route
taken by the packet
Handled in two ways:
 Loose source routing
» only a small number of intermediate IP addresses
 Strict source routing
» Provides an exact route

However:
 hackers can use source routing to confuse
 no higher level protocols actually use source
routing…
Stateful IP filtering

Using this more exhaustive technique:
the payload of a packet can also be read
» thus, the fingerprint of a virus or trojan can be
identified
the firewall stores connection information in
state tables
TCP ports above 1024 can be read and
filtered out if required
Stateful Filtering Strategy…
Use to filter entire communication
streams
 Do not allow any TCP services through
EXCEPT:

those that are specifically allowed (e.g port
80)
those that are part of connections that are
sill in the state tables
» no entry in state table – drop packet!
Internal Network Address
Translation (NAT)

Another potential way in for IP hackers
 external packets undergo protocol translation
before they can travel along the local network
 this means a unfiltered port eg 8080 can be
changed to a filter port eg 23 and then passed to a
local server…

Trojan Horses use this strategy to hack
through the firewall and get to the internal
network
Security-enhancing
use of NAT

NAT defined by the IETF as RFC #1631

Converts local private IP addresses into
globally unique public IP addresses than can
be used on the Internet
 provides opportunities for trojan horses
 but… hides all TCP/IP information relating to the
internal network from would-be hackers or anyone
else on the Internet
More about NAT

Reduced the demand for IPv6 in the
short term
IANA RFC #1918 particular IP address
ranges for private use:
» 10.0.0.0 to 10.255.255.255
» 172.16.0.0 to 172.31.255.255
» 192.168.0.0 to 192.168.255.255
single external IP address used for a 5000
computer network!
Masquerading NAT

Outbound packets are translated to the
public/routable IP address of the firewall
 called "masquerading" because all outbound
connections appear to be originating on the
firewall itself
 An app may need to be given a different source
port (if the original port is already in use on the
firewall)

Inbound connections cannot be accepted
because the firewall doesn't know which
client to send them to
Non-Masquerading NAT





Each private IP address on a client has a
corresponding public/routable IP address on
the firewall
NAT translation is done one-to-one between
pairs of public and private IP addresses
Port numbers remain unchanged
Needed for protecting servers with the
Logical Firewall (and is the type you get for
clients you've specified to the rule generator)
Inbound connections to clients are accepted
via the client's public/routable IP address on
the firewall
Limitations of NAT

NOT a panacea
 does make the internal network invisible
 STATIC translation can still be hacked!

Avoid masquerading NAT, if possible
 makes it look like the firewall itself is misbehaving if
one of its clients misbehaves
 increases the risk that the ISP will disconnect the
firewall rather than the offending client!

Using non-masquerading NAT allows the ISP to
identify and disconnect only the offending client
Summary of Security
Technologies covered…





Local authentication/logon and denial of
access security
Privacy/Encryption
PKI/Digital certificates/Secure Sockets
Layer/Virtual Private Networks
Global Authentication/Active
Directory/DNS/Kerberos & Trusted
Networks
Network Protection/Firewalls/Packet
Filtering
Software Vulnerabilities and
strategies for management
All software should be thoroughly
tested…
 Takes time!
 Time is money!!
 Short-cuts are taken!!!

Software Vulnerabilities and
Exploitation

Important for software bugs to be
announced
problem: also informs black hats
solution: announce fix/patch at the same
time
» all users should download & install patches
» close the vulnerability
Vulnerabilities and
Consequences

System crashes can be the result of:
faulty components
dodgy, unpatched, software
software and hardware compromised by
malicious software (malware), attacks by
hackers, or employer misuse

Essential for backup system to kick in to provide a
service to customers while main system being fixed
Human Vulnerabilities
All IT systems use humans
 Therefore vulnerable to human frailty…

e.g. accidental deletion of a file may cause
system to become unstable!
Training can help (a lot…)
 As can procedures and penalties for
infringement (even termination of
contract)

Best have a backup!

Memory… motherboard… disk
controller… hard disk… applications…
CPU… even electricity supply!

A backup for everything is expensive…
BUT…. businesses' need continuity
(availability of IT systems nearly all the
time)
» otherwise may become ex-businesses!
Dress Rehearsal

Only one way to see whether backups
all work…
set up a disaster scenario
» If systems all backup up, recovery should be
quick
» else… system won’t restart
» no service, no business?
Information Assurance (IA)

Three components required:
Effective infosec system (incl. monitoring)
Controls… (or “take the risk”)
» for all potential vulnerabilities
» number needed depends on complexity of
system
Evidence that the controls are working…
(established through auditing)

Controls may take many forms:
hardware, software, management, user
IA Standards

Many available
different standards fit different usage of IT

Assignment 2 Presentation
choose an existing standard
state who it is aimed at and used by and
why appropriate for Partsfix
explain the controls set
explain the system that governs the
controls and adherence to laws and
regulations over time…
give some idea of cost of implementing it
Auditing

Essential process that avoids an
organisation pressurising an assessor
evidence, not talk, required
system needs to build in auditing on a
regular basis
» takes time!

May reveal “non-conformance” (NC)
No certification until most NCs identified
and turned into conformances
IA Certification

Awarded through:
Auditing (ISO27001, IASME, PCI-DSS,
etc.)
Self-assessment (Cyber Essentials)

Why bother?